From james at 2-bit-toys.com Thu Sep 1 03:06:39 2005 From: james at 2-bit-toys.com (James Tu) Date: Thu, 01 Sep 2005 00:06:39 -0700 Subject: [nycphp-talk] php and deletion of Windows directories Message-ID: <6.2.0.14.0.20050831235613.03218350@www.2-bit-toys.com> I have a php script and it can delete a directory and it's children files without any problems on a OS X machine. However, on a Windows machine I can only delete the files in the directory but not the directory itself. I've been playing around with the permissions of the directory and the parent of the directory but I can't seem to find the right settings. What is the user that PHP runs under in Windows? James Tu james at 2-bit-toys.com -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.18/86 - Release Date: 8/31/2005 From phil at bearingasset.com Thu Sep 1 05:32:46 2005 From: phil at bearingasset.com (Phil Duffy) Date: Thu, 1 Sep 2005 05:32:46 -0400 Subject: [nycphp-talk] Partial Name Lookup Function in PEAR In-Reply-To: <8C77CAA3E05A480-94C-297D@MBLK-M28.sysops.aol.com> Message-ID: <20050901093248.8A213A8771@virtu.nyphp.org> Lee, Thanks for the clue. That will get me started. Phil _____ From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of leeeyerman at aol.com Sent: Wednesday, August 31, 2005 8:19 PM To: talk at lists.nyphp.org Subject: Re: [nycphp-talk] Partial Name Lookup Function in PEAR I do not know about PEAR but if you are just trying to look up a first or last name (or anything other name/text) using only a partial piece of information the LIKE command is best. SELECT "column" FROM "table" WHERE "column_name" LIKE [PATTERN] ie. SELECT * FROM pics WHERE pic_name LIKE '%ANG%' This would return all pic_name where ANG is contained in the string. http://www.1keydata.com/sql/sqllike.html http://www.techonthenet.com/sql/like.php -----Original Message----- From: Phil Duffy To: 'NYPHP Talk' Sent: Wed, 31 Aug 2005 21:05:48 -0400 Subject: [nycphp-talk] Partial Name Lookup Function in PEAR Does PEAR offer a partial name lookup function? What is the best way to do a partial name lookup in a database-independent manner? If I must drop back to hard-coded MySQL calls, is the LOCATE() function the appropriate one to use in this situation? Any responses will be appreciated, including advice to direct these questions to another list. Phil Duffy _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From cliff at pinestream.com Thu Sep 1 09:25:59 2005 From: cliff at pinestream.com (Cliff Hirsch) Date: Thu, 1 Sep 2005 09:25:59 -0400 Subject: [nycphp-talk] Need help randomly accessing records from a database In-Reply-To: <6.2.0.14.0.20050831235613.03218350@www.2-bit-toys.com> Message-ID: <002801c5aef8$b1817160$11a8a8c0@cliff> I need to randomly access records from a database and have come up with the following solution: 1. Find max primary key id 2. Generate random # between 0 & max 3. Get record This solution implies that the primary key value is 0...Max, sequentially without "holes". But what it I delete records or want to "mask out" certain records? If I delete records, it's seems like the only method would be to reindex the database. And to mask, I'm lost other than using a 2nd database containing just the desired records with a join to the first. Any ideas? Cliff Hirsch _______________________________ Pinestream Communications, Inc. Publisher of Semiconductor Times & Telecom Trends 52 Pine Street, Weston, MA 02493 USA Tel: 781.647.8800, Fax: 781.647.8825 http://www.pinestream.com From dcech at phpwerx.net Thu Sep 1 09:35:51 2005 From: dcech at phpwerx.net (Dan Cech) Date: Thu, 01 Sep 2005 09:35:51 -0400 Subject: [nycphp-talk] Need help randomly accessing records from a database In-Reply-To: <002801c5aef8$b1817160$11a8a8c0@cliff> References: <002801c5aef8$b1817160$11a8a8c0@cliff> Message-ID: <431703B7.4030102@phpwerx.net> Try this: SELECT * FROM `sometable` ORDER BY RAND() LIMIT 1 Dan Cliff Hirsch wrote: > I need to randomly access records from a database and have come up with > the following solution: > > 1. Find max primary key id > 2. Generate random # between 0 & max > 3. Get record > > This solution implies that the primary key value is 0...Max, > sequentially without "holes". > > But what it I delete records or want to "mask out" certain records? If I > delete records, it's seems like the only method would be to reindex the > database. And to mask, I'm lost other than using a 2nd database > containing just the desired records with a join to the first. > > Any ideas? > > Cliff Hirsch From jellicle at gmail.com Thu Sep 1 09:37:36 2005 From: jellicle at gmail.com (Michael Sims) Date: Thu, 1 Sep 2005 09:37:36 -0400 Subject: [nycphp-talk] Need help randomly accessing records from a database In-Reply-To: <002801c5aef8$b1817160$11a8a8c0@cliff> References: <002801c5aef8$b1817160$11a8a8c0@cliff> Message-ID: <200509010937.37350.jellicle@gmail.com> On Thursday 01 September 2005 09:25, Cliff Hirsch wrote: > I need to randomly access records from a database and have come up with > the following solution: > Any ideas? SELECT field1, field2, rand() AS myrand FROM table ORDER BY myrand LIMIT 1; It's a common problem. With a solution that's easy, once you know it. :) Michael Sims From cliff at pinestream.com Thu Sep 1 09:41:57 2005 From: cliff at pinestream.com (Cliff Hirsch) Date: Thu, 1 Sep 2005 09:41:57 -0400 Subject: [nycphp-talk] Need help randomly accessing records from adatabase In-Reply-To: <200509010937.37350.jellicle@gmail.com> Message-ID: <003001c5aefa$edc69a40$11a8a8c0@cliff> Awesome! I knew there had to be something out there! -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Michael Sims Sent: Thursday, September 01, 2005 9:38 AM To: NYPHP Talk Subject: Re: [nycphp-talk] Need help randomly accessing records from adatabase On Thursday 01 September 2005 09:25, Cliff Hirsch wrote: > I need to randomly access records from a database and have come up > with the following solution: > Any ideas? SELECT field1, field2, rand() AS myrand FROM table ORDER BY myrand LIMIT 1; It's a common problem. With a solution that's easy, once you know it. :) Michael Sims _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From dcech at phpwerx.net Thu Sep 1 10:00:09 2005 From: dcech at phpwerx.net (Dan Cech) Date: Thu, 01 Sep 2005 10:00:09 -0400 Subject: [nycphp-talk] Need help randomly accessing records from a database In-Reply-To: <002801c5aef8$b1817160$11a8a8c0@cliff> References: <002801c5aef8$b1817160$11a8a8c0@cliff> Message-ID: <43170969.7090304@phpwerx.net> Cliff Hirsch wrote: > I need to randomly access records from a database and have come up with > the following solution: After I posted my last response I realised something I'd forgotten to mention. For result sets larger than a few thousand rows you will most likely get better mileage out of something like: $sql = 'SELECT COUNT(*) FROM `sometable`'; $cnt = $db->getOne($sql); $rnd = mt_rand(0,$cnt - 1); $sql = 'SELECT * FROM `sometable` LIMIT '. $rnd .',1'; $row = $db->getRow($sql); My testing on a table with 50,000 rows indicated that this method was twice as fast on the first run and a massive 10x as fast for subsequent runs. Dan From RLindner at morrisjohnson.com Thu Sep 1 10:52:38 2005 From: RLindner at morrisjohnson.com (Lindner, Richard) Date: Thu, 1 Sep 2005 10:52:38 -0400 Subject: [nycphp-talk] php and deletion of Windows directories Message-ID: >> However, on a Windows machine I can only delete the files in the directory >> but not the directory itself. I've been playing around with the >> permissions of the directory and the parent of the directory but I can't >> seem to find the right settings. What is the user that PHP runs under in >> Windows? I believe that you're running into the limitation of the "delete" command in Windows. In order to remove a direction, you need to use the "RD" or "RMDIR" command after deleting the files in the folder. From leam at reuel.net Thu Sep 1 11:21:50 2005 From: leam at reuel.net (leam at reuel.net) Date: Thu, 1 Sep 2005 11:21:50 -0400 Subject: [nycphp-talk] DocumentRoot array oddness. Message-ID: <20050901152150.GH2801@leitz.reuel.net> I know I'm doing something wrong, just not sure what. Here's the output from the web page: DOCDIR is Array PHPDIR is /home/alba/php Here's the PHP bit that creates it: $DOCDIR = explode("/", "$_SERVER[DOCUMENT_ROOT]"); echo "

DOCDIR is $DOCDIR"; array_pop($DOCDIR); array_push($DOCDIR , "php"); $PHPDIR = implode("/", $DOCDIR ); echo "

PHPDIR is $PHPDIR"; array_pop($DOCDIR); $DOCDIR *should* be /home/alba. Or even the acutal DocumentRoot as alba is a v-host. It should *not* be "Array", and for the life of me I can't see how $PHPDIR gets set with $DOCDIR in a mess. What do I need to straighten out? ciao! leam From kenrbnsn at rbnsn.com Thu Sep 1 11:35:03 2005 From: kenrbnsn at rbnsn.com (Ken Robinson) Date: Thu, 01 Sep 2005 11:35:03 -0400 Subject: [nycphp-talk] DocumentRoot array oddness. In-Reply-To: <20050901152150.GH2801@leitz.reuel.net> References: <20050901152150.GH2801@leitz.reuel.net> Message-ID: <6.2.5.4.2.20050901113013.02959840@rbnsn.com> At 11:21 AM 9/1/2005, leam at reuel.net wrote: >I know I'm doing something wrong, just not sure what. > >Here's the output from the web page: > >DOCDIR is Array > >PHPDIR is /home/alba/php > >Here's the PHP bit that creates it: > > $DOCDIR = explode("/", "$_SERVER[DOCUMENT_ROOT]"); The explode() function creates a array from a string using the delineator that you specify. > echo "

DOCDIR is $DOCDIR"; echo '

';print_r($DOCDIR);echo '
'; > array_pop($DOCDIR); > array_push($DOCDIR , "php"); > $PHPDIR = implode("/", $DOCDIR ); > echo "

PHPDIR is $PHPDIR"; > array_pop($DOCDIR); > >$DOCDIR *should* be /home/alba. Or even the acutal DocumentRoot as >alba is a v-host. It should *not* be "Array", and for the life of me >I can't see how $PHPDIR gets set with $DOCDIR in a mess. $PHPDIR gets created correctly since everywhere else you are treating $DOCDIR as the array it is. The implode() fuction creates a string from an array putting the string you specify between each element in the array. Ken Robinson From steve.rieger at tbwachiat.com Thu Sep 1 12:17:17 2005 From: steve.rieger at tbwachiat.com (Steve Rieger) Date: Thu, 1 Sep 2005 12:17:17 -0400 Subject: [nycphp-talk] large file download Message-ID: <0A5C091C-BEC2-40E2-9BAF-5A6D0C876B89@tbwachiat.com> hi all have an interesting question i have large files that i am trying to download, anything up to 230 MB works but from 250 and up i can not download. i get no errors in the error logs, and when i hit the download button apache seems to request the file but does not. here are my php info variables for this dir, as defined in .htaccess max_input_time 60 memory_limit 947M output_buffering 4096 this is a page written in php, the files are there, and i can d/l the ones smaller than 250 MB. any pointers. all the files are on local disks. -- Steve Rieger AIM chozrim ICQ 53956607 Cell 646 335 8915 steve.rieger at tbwachiat.com I had the blues because I had no shoes until upon the street, I met a man who had no feet. Biker Blues This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this e-mail or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. All contents are the copyright property of TBWA\Chiat\Day, its agencies or a client of such agencies. If you are not the intended recipient, you are nevertheless bound to respect the worldwide legal rights of TBWA\Chiat\Day, its agencies and its clients. We require that unintended recipients delete the e-mail and destroy all electronic copies in their system, retaining no copies in any media. If you have received this e-mail in error, please immediately notify us via e-mail to disclaimer at tbwachiat.com. We appreciate your cooperation. We make no warranties as to the accuracy or completeness of this e-mail and accept no liability for its content or use. Any opinions expressed in this e-mail are those of the author and do not necessarily reflect the opinions of TBWA\Chiat\Day or any of its agencies or affiliates. -------------- next part -------------- An HTML attachment was scrubbed... URL: From cliff at pinestream.com Thu Sep 1 12:44:42 2005 From: cliff at pinestream.com (Cliff Hirsch) Date: Thu, 1 Sep 2005 12:44:42 -0400 Subject: [nycphp-talk] PHP Form Validation In-Reply-To: <0A5C091C-BEC2-40E2-9BAF-5A6D0C876B89@tbwachiat.com> Message-ID: <006701c5af14$7429f280$11a8a8c0@cliff> PHPBuilder just posted this article: PHP Form Validation System: An Object-Oriented Approach See: http://www.phpbuilder.com/columns/weiner20050831.php3 Beside the primary validation content, the article uses the following example, which I often see: I often wonder (but not when I'm with my wife) what the pros and cons are of using value= $_POST['something'] versus value = $fresh_variable. First, can't $_POST['email'] create an error, since on first pass, the 'email' key would not exist. Second, how do you set default values? You would be setting the Post array, which changes the source of the value from a form post to a program. Doesn't seem right to me. Third, if you do want to "scrub" the input, that implies modifying $_POST['something'], which is in direct conflict with Chris Shiftlett's $clean_array approach. Ok, so what's the harm in letting a user send him/herself a potential script -- still seems wrong to me. Comments? Cliff Hirsch -------------- next part -------------- An HTML attachment was scrubbed... URL: From agfische at email.smith.edu Thu Sep 1 12:52:51 2005 From: agfische at email.smith.edu (Aaron Fischer) Date: Thu, 01 Sep 2005 12:52:51 -0400 Subject: [nycphp-talk] PHP Form Validation In-Reply-To: <006701c5af14$7429f280$11a8a8c0@cliff> References: <006701c5af14$7429f280$11a8a8c0@cliff> Message-ID: <431731E3.7080105@email.smith.edu> If the $_POST['var'] doesn't have a value or hasn't been created, nothing is outputted, so the form just has value="" in the html form. Nothing wrong with that as far as I know. I use something similar in my forms, haven't run into any problems. -Aaron Cliff Hirsch wrote: > PHPBuilder just posted this article: PHP Form Validation System: An > Object-Oriented Approach > See: http://www.phpbuilder.com/columns/weiner20050831.php3 > > Beside the primary validation content, the article uses the following > example, which I often see: > > > I often wonder (but not when I'm with my wife) what the pros and cons > are of using value= $_POST['something'] versus value = $fresh_variable. > > First, can't $_POST['email'] create an error, since on first pass, the > 'email' key would not exist. > > Second, how do you set default values? You would be setting the Post > array, which changes the source of the value from a form post to a > program. Doesn't seem right to me. > > Third, if you do want to "scrub" the input, that implies modifying > $_POST['something'], which is in direct conflict with Chris > Shiftlett's $clean_array approach. Ok, so what's the harm in letting a > user send him/herself a potential script -- still seems > wrong to me. > > Comments? > > Cliff Hirsch From hendler at simmons.edu Thu Sep 1 13:02:49 2005 From: hendler at simmons.edu (Jonathan) Date: Thu, 01 Sep 2005 13:02:49 -0400 Subject: [nycphp-talk] PHP Form Validation In-Reply-To: <431731E3.7080105@email.smith.edu> References: <006701c5af14$7429f280$11a8a8c0@cliff> <431731E3.7080105@email.smith.edu> Message-ID: <43173439.2000803@simmons.edu> Without looking at the PHP builder article - I think there are many things wrong with embedding $_POST in form html: 1. if you display warning messages in your PHP ini it will display a warning on the first pass 2. you can't run filters before display like htmlentities - the user can input javascript, html, or other ickiness like even a double quote can break the form 3. what if you have a form with 10 steps and you want the user to be able to go back to a stage 3 and modify the data they had entered? 4. html should probably be in a template file What's trying to be accomplished is in a sense "state preservation" as well as cleaning/checking of the data. Just embedding $_REQUEST, $_POST, or $_GET is insufficient for any larger application. Aaron Fischer wrote: >If the $_POST['var'] doesn't have a value or hasn't been created, >nothing is outputted, so the form just has value="" in the html form. >Nothing wrong with that as far as I know. I use something similar in my >forms, haven't run into any problems. > >-Aaron > > >Cliff Hirsch wrote: > > > >>PHPBuilder just posted this article: PHP Form Validation System: An >>Object-Oriented Approach >>See: http://www.phpbuilder.com/columns/weiner20050831.php3 >> >>Beside the primary validation content, the article uses the following >>example, which I often see: >> >> >>I often wonder (but not when I'm with my wife) what the pros and cons >>are of using value= $_POST['something'] versus value = $fresh_variable. >> >>First, can't $_POST['email'] create an error, since on first pass, the >>'email' key would not exist. >> >>Second, how do you set default values? You would be setting the Post >>array, which changes the source of the value from a form post to a >>program. Doesn't seem right to me. >> >>Third, if you do want to "scrub" the input, that implies modifying >>$_POST['something'], which is in direct conflict with Chris >>Shiftlett's $clean_array approach. Ok, so what's the harm in letting a >>user send him/herself a potential script -- still seems >>wrong to me. >> >>Comments? >> >>Cliff Hirsch >> >> > > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mail at billyreisinger.com Thu Sep 1 13:06:28 2005 From: mail at billyreisinger.com (Billy Reisinger) Date: Thu, 01 Sep 2005 13:06:28 -0400 Subject: [nycphp-talk] PHP Form Validation In-Reply-To: <006701c5af14$7429f280$11a8a8c0@cliff> References: <006701c5af14$7429f280$11a8a8c0@cliff> Message-ID: <43173514.8080403@billyreisinger.com> Cliff Hirsch wrote: It would seem to me that, whether you plan on using a $_REQUEST['variable'] or a $fresh_variable directly in your form, you will still need to do the same sort of validation and security checking on it. > PHPBuilder just posted this article: PHP Form Validation System: An > Object-Oriented Approach > See: http://www.phpbuilder.com/columns/weiner20050831.php3 > > Beside the primary validation content, the article uses the following > example, which I often see: > > > I often wonder (but not when I'm with my wife) what the pros and cons > are of using value= $_POST['something'] versus value = $fresh_variable. > > First, can't $_POST['email'] create an error, since on first pass, the > 'email' key would not exist. Yeah, using an unset variable will throw a warning; you wouldn't see it unless your error reporting is set to see warnings. You can use a few lines of code to set a bunch of variables that are used in your forms. I think it is good practice to set all variables before using them - many other programming languages require this. $array_of_variable_names = array("email", "name", "blah"); foreach($array_of_variable_names as $variable_name) { if (!isset($_REQUEST[$variable_name])) { $_REQUEST[$variable_name] = ""; } } > > Second, how do you set default values? You would be setting the Post > array, which changes the source of the value from a form post to a > program. Doesn't seem right to me. use the isset() function to detect whether the variable has been set by the user ... if it hasn't, create a default value. You can even do this one quickly, too. //load an array with names of variables and default values $variables_and_defaults = array("variable1"=>"value1", "variable2"=>"value2"); //cycle through the array foreach($variables_and_defaults as $variable_name => $variable_value) { //if this variable is not set, if (!isset($$variable_name)) { //assign it the default value you associated with it above. $$variable_name = $variable_value; } } That's the general idea; I haven't checked it for errors, but it should work. > > Third, if you do want to "scrub" the input, that implies modifying > $_POST['something'], which is in direct conflict with Chris > Shiftlett's $clean_array approach. Ok, so what's the harm in letting a > user send him/herself a potential script -- still seems > wrong to me. > A number of reasons! The mail() script can be hijacked in any number of ways; it is always a good idea to thoroughly clean any variables that are used in that function. mysql queries are vulnerable to attack, too, so be sure never to trust any variable that passes from page to page. Cheers, Billy Reisinger From jellicle at gmail.com Thu Sep 1 13:31:31 2005 From: jellicle at gmail.com (Michael Sims) Date: Thu, 1 Sep 2005 13:31:31 -0400 Subject: [nycphp-talk] PHP Form Validation In-Reply-To: <006701c5af14$7429f280$11a8a8c0@cliff> References: <006701c5af14$7429f280$11a8a8c0@cliff> Message-ID: <200509011331.31227.jellicle@gmail.com> On Thursday 01 September 2005 12:44, Cliff Hirsch wrote: > Beside the primary validation content, the article uses the following > example, which I often see: > This is a cross-site scripting hole. > Third, if you do want to "scrub" the input, that implies modifying > $_POST['something'], which is in direct conflict with Chris Shiftlett's > $clean_array approach. Ok, so what's the harm in letting a user send > him/herself a potential script -- still seems wrong to me. Ah, but suppose the user didn't do it to himself. Suppose I make a javascript function on my site. The javascript on my site tells the web browser visiting my site to submit a form to YOUR site, with some POST variables. Maybe the "email" variable in the POST request is set to, say: "> Now when the person browsing MY site executes that Javascript on MY site, his browser visits your site, submits a form, and the resulting page (which has access to the user's cookies) looks like: " /> So the generated page, rendering on the user's machine and with access to the user's cookies for YOUR website, can now contain and execute ANY Javascript that *I* want to execute, which can easily send me your user's cookies (which may allow me to impersonate your user). And again, all the user has to do is visit MY website with Javascript enabled in order for their cookies for your website to be stolen. It is a conceptual error that content seen only by the user can't be a security hole. It can. DO NOT echo POST, GET, or COOKIE variables back to the user without AT LEAST escaping things like quotes, angle brackets, and so on. The htmlspecialchars() or htmlentities() functions are a good start. Michael Sims From mitch.pirtle at gmail.com Thu Sep 1 14:19:08 2005 From: mitch.pirtle at gmail.com (Mitch Pirtle) Date: Thu, 1 Sep 2005 14:19:08 -0400 Subject: [nycphp-talk] What's in a name In-Reply-To: <330532b6050901111272d269d8@mail.gmail.com> References: <330532b6050901111272d269d8@mail.gmail.com> Message-ID: <330532b6050901111938ba51fe@mail.gmail.com> Here is the actual press release: Award-winning Development Team Welcomes New Arrival -- Joomla! The multi-award-winning team of core developers, that developed the world's most popular content management system known as Mambo, has changed the name of their software to Joomla! Today, the development team unveiled the Joomla! project's new home at www.joomla.org. The Joomla! project announcement comes three weeks after the development team unanimously voted to secure the project's future in the spirit of open source software. The development team formed Open Source Matters (www.opensourcematters.org) to distribute information to users, developers, web designers and the community in general. Project leader Andrew Eddie made the announcement today, heralding the forthcoming release of Joomla! 1.0.0, the team's first release under the new structure and brand. "This forthcoming release will be a celebration for everyone," Mr Eddie said. "It marks the continuation of one of the best open source software collaborations without commercial restraint or intervention." He said the baby Joomla! would be a mature release of the project, which includes rebranding, bug fixes and security patches. The Joomla! roadmap about forthcoming releases of the project can be found at the Joomla! website. Core team member Brian Teeman said the release of Joomla! was particularly important to the large user base, which had "supported us through thick and thin". "The community is now free to celebrate the new arrival and know the project is in very safe hands indeed," Mr Teeman said. The core team has been working very closely with the Software Freedom Law Center (SFLC), in New York, to establish the Joomla! and Open Source Matters entities. The SFLC provided legal representation and other law related services to protect and advance free and open source software. "We are grateful for the excellent guidance and legal advice provided -- at extremely short notice -- by Eben Moglen and his team at the centre," Mr Teeman said. "During Joomla's evolution, the project has received thousands of emails, posts, letters and phone calls of support from people all over the world," Mr Eddie said. "The number of people expressing support is quite staggering -- including hobbyists, developers, third-party developers, web designers, business owners, teachers, students, even members of other CMS projects ... the list goes on and on," he said. "Now the word is out and Joomla! has been born, we are focussed on continuing our award-winning work and taking the project to new heights." Joomla! website creation software is released under GNU Public License. Read more at www.joomla.org and www.opensourcematters.org. Release prepared by Peter Russell Authorised by Andrew Eddie and Brian Teeman -- Mitch Pirtle Joomla! Core Developer From chsnyder at gmail.com Thu Sep 1 16:25:00 2005 From: chsnyder at gmail.com (csnyder) Date: Thu, 1 Sep 2005 16:25:00 -0400 Subject: [nycphp-talk] large file download In-Reply-To: <0A5C091C-BEC2-40E2-9BAF-5A6D0C876B89@tbwachiat.com> References: <0A5C091C-BEC2-40E2-9BAF-5A6D0C876B89@tbwachiat.com> Message-ID: On 9/1/05, Steve Rieger wrote: > hi all > have an interesting question > i have large files that i am trying to download, anything up to 230 MB works > but from 250 and up i can not download. i get no errors in the error logs, > and when i hit the download button apache seems to request the file but does > not. > here are my php info variables for this dir, as defined in .htaccess > > max_input_time 60 > memory_limit 947M > output_buffering 4096 > > > this is a page written in php, the files are there, and i can d/l the ones > smaller than 250 MB. any pointers. all the files are on local disks. No real ideas, but a hunch... check your server system log ( /var/log/messages on Linux ) for signs that httpd has crashed. Not sure what you would do about it, but if you don't see any indication that Apache is barfing, you can cross that possibly off the list and look for other factors. What *does* happen? Zero-length file? Is there an entry in the httpd access_log? Hmmm. -- Chris Snyder http://chxo.com/ From hendler at simmons.edu Thu Sep 1 16:49:36 2005 From: hendler at simmons.edu (Jonathan) Date: Thu, 01 Sep 2005 16:49:36 -0400 Subject: [nycphp-talk] large file download In-Reply-To: References: <0A5C091C-BEC2-40E2-9BAF-5A6D0C876B89@tbwachiat.com> Message-ID: <43176960.3080901@simmons.edu> If I remember you were trying to do some operation using zip files and fread. Is apache downloading the files directly, or do you pass the files through php and push out the http headers from there? If you are passing the binary data through php you might want to read in chunks then flush the data to the browser (base 64 encode also) rather than one long stream. csnyder wrote: >On 9/1/05, Steve Rieger wrote: > > >>hi all >>have an interesting question >>i have large files that i am trying to download, anything up to 230 MB works >>but from 250 and up i can not download. i get no errors in the error logs, >>and when i hit the download button apache seems to request the file but does >>not. >>here are my php info variables for this dir, as defined in .htaccess >> >>max_input_time 60 >>memory_limit 947M >>output_buffering 4096 >> >> >>this is a page written in php, the files are there, and i can d/l the ones >>smaller than 250 MB. any pointers. all the files are on local disks. >> >> > >No real ideas, but a hunch... check your server system log ( >/var/log/messages on Linux ) for signs that httpd has crashed. Not >sure what you would do about it, but if you don't see any indication >that Apache is barfing, you can cross that possibly off the list and >look for other factors. > >What *does* happen? Zero-length file? >Is there an entry in the httpd access_log? > >Hmmm. > > > From shiflett at php.net Thu Sep 1 18:37:02 2005 From: shiflett at php.net (Chris Shiflett) Date: Thu, 01 Sep 2005 18:37:02 -0400 Subject: [nycphp-talk] PHP Form Validation In-Reply-To: <006701c5af14$7429f280$11a8a8c0@cliff> References: <006701c5af14$7429f280$11a8a8c0@cliff> Message-ID: <4317828E.5030206@php.net> Cliff Hirsch wrote: > See: http://www.phpbuilder.com/columns/weiner20050831.php3 > > Beside the primary validation content, the article uses the > following example, which I often see: > This is really a big problem within our community. I can't think of a more obvious XSS vulnerability, but here it is in an article that numerous developers will read and apply to their own development. In the past, I have made a conscious effort to contact the author of any article that teaches poor practices like this, but I very rarely get a response. I can only think of one article that was ever corrected - Zend removed one of their articles at my request. I've considered blogging about (or otherwise making public) the problems with an article such as this, but I don't like to spread unfriendliness - after all, the friendly nature of the PHP community is what I like about it. > First, can't $_POST['email'] create an error, since on first pass, > the 'email' key would not exist. Yes, and although there are many ways to deal with this, none have ever seemed very elegant to me. The lesser of evils is to initialize elements within $_POST that you reference in this way, but I don't like modifying anything in $_POST, ever. I often see people using error supression, which I really hate: In fact, this was in some courseware from which I was teaching once. I couldn't believe it. Not only is it not a very good practice to be teaching, but imagine being new to PHP and trying to digest that statement one character at a time: < ? = @ $ _ Good grief! If I wanted to write code like that, I'd be using Perl. :-) > Second, how do you set default values? You would be setting the > Post array, which changes the source of the value from a form post > to a program. Doesn't seem right to me. Me neither. :-) > Third, if you do want to "scrub" the input, that implies modifying > $_POST['something'], which is in direct conflict with Chris > Shiflett's $clean_array approach. I think this article neither filters input nor escapes output, despite the fact that it's supposed to be an article about input filtering. > Ok, so what's the harm in letting a user send him/herself a > potential script -- still seems wrong to me. I usually give examples that use $_GET in an attempt to solicit this question - who cares if the user attacks himself? Well, with $_GET, clearly the malicious content can be embedded in a link to your application. With $_POST, it's not quite as easy, but it's still possible - a "link" to your application can really be a form submission. So, it sounds like you have good instincts. :-) Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From dmintz at davidmintz.org Thu Sep 1 21:41:35 2005 From: dmintz at davidmintz.org (David Mintz) Date: Thu, 1 Sep 2005 21:41:35 -0400 (EDT) Subject: [nycphp-talk] PHP Form Validation In-Reply-To: <4317828E.5030206@php.net> References: <006701c5af14$7429f280$11a8a8c0@cliff> <4317828E.5030206@php.net> Message-ID: On Thu, 1 Sep 2005, Chris Shiflett wrote: > Cliff Hirsch wrote: > > See: http://www.phpbuilder.com/columns/weiner20050831.php3 > > > > Beside the primary validation content, the article uses the > > following example, which I often see: > > > > This is really a big problem within our community. I can't think of a > more obvious XSS vulnerability, but here it is in an article that > numerous developers will read and apply to their own development. I can testify that reading questionable tutorials and articles can set you way back. Granted it was back in the days when people were still using PHP 3, and security- and hygienic awareness in general was probably lower, but when I first started using PHP I got off to a poor start relying on register_globals, using uninitialized variables, developing without E_NOTICE turned on, not quoting $array[key], etc, all because of following published examples. Sure, a more experienced, heads-up developer would have known better, but... --- David Mintz http://davidmintz.org/ From mail at billyreisinger.com Thu Sep 1 22:36:40 2005 From: mail at billyreisinger.com (Billy Reisinger) Date: Thu, 1 Sep 2005 22:36:40 -0400 Subject: [nycphp-talk] PHP Form Validation In-Reply-To: <4317828E.5030206@php.net> References: <006701c5af14$7429f280$11a8a8c0@cliff> <4317828E.5030206@php.net> Message-ID: <296BEAE9-A9E9-47C3-BA51-F43B9C856EED@billyreisinger.com> On Sep 1, 2005, at 6:37 PM, Chris Shiflett wrote: > Cliff Hirsch wrote: > >> See: http://www.phpbuilder.com/columns/weiner20050831.php3 >> >> Beside the primary validation content, the article uses the >> following example, which I often see: >> >> > > This is really a big problem within our community. I can't think of a > more obvious XSS vulnerability, but here it is in an article that > numerous developers will read and apply to their own development. > Correct me if I'm wrong here, folks, but using a $_POST['variable'] directly in a form is no more or less vulnerable to attack than using a different variable that is a reference to a $_POST variable. If you want to carry over form values after errors or across multiple form pages (i.e. preserve state), you have to reference these $_POST variables eventually, in some form or fashion. In this sense, ALL forms are vulnerable to hacks. It should be a necessary step for you to validate and protect yourself against any variable that your users can change. From hendler at simmons.edu Fri Sep 2 00:20:37 2005 From: hendler at simmons.edu (Jonathan) Date: Fri, 02 Sep 2005 00:20:37 -0400 Subject: [nycphp-talk] PHP Form Validation In-Reply-To: <296BEAE9-A9E9-47C3-BA51-F43B9C856EED@billyreisinger.com> References: <006701c5af14$7429f280$11a8a8c0@cliff> <4317828E.5030206@php.net> <296BEAE9-A9E9-47C3-BA51-F43B9C856EED@billyreisinger.com> Message-ID: <4317D315.6050808@simmons.edu> Billy Reisinger wrote: >On Sep 1, 2005, at 6:37 PM, Chris Shiflett wrote: > > > >>Cliff Hirsch wrote: >> >> >> >>>See: http://www.phpbuilder.com/columns/weiner20050831.php3 >>> >>>Beside the primary validation content, the article uses the >>>following example, which I often see: >>> >>> >>> >>> >>This is really a big problem within our community. I can't think of a >>more obvious XSS vulnerability, but here it is in an article that >>numerous developers will read and apply to their own development. >> >> >> > >Correct me if I'm wrong here, folks, but using a $_POST['variable'] >directly in a form is no more or less vulnerable to attack than using >a different variable that is a reference to a $_POST variable. If >you want to carry over form values after errors or across multiple >form pages (i.e. preserve state), you have to reference these $_POST >variables eventually, in some form or fashion. In this sense, ALL >forms are vulnerable to hacks. It should be a necessary step for >you to validate and protect yourself against any variable that your >users can change. >\ > > Using $_POST is using a global variable - which if validated and transformed is an abuse of what $_POST is meant to represent. By moving variables out of global to preserve state you gain control of the variable ever changing again. And the problem is deeper than about vulnerability to "attack" - its also about making reusable and clean architectures. So I see how you might say $_POST is like any other user altered variable - but the article being criticized is still promoting bad practice and, I guess from what is being said, makes no attempt to point out the obvious problems with embedding these tags in a form. From chsnyder at gmail.com Fri Sep 2 10:16:39 2005 From: chsnyder at gmail.com (csnyder) Date: Fri, 2 Sep 2005 10:16:39 -0400 Subject: [nycphp-talk] PHP Form Validation In-Reply-To: References: <006701c5af14$7429f280$11a8a8c0@cliff> <4317828E.5030206@php.net> Message-ID: On 9/1/05, David Mintz wrote: > > > See: http://www.phpbuilder.com/columns/weiner20050831.php3 > I can testify that reading questionable tutorials and articles can set you > way back. Granted it was back in the days when people were still using PHP > 3, and security- and hygienic awareness in general was probably lower Speaking of still using php3... I wonder if they really are, or if that's simply a naming convention. -- Chris Snyder http://chxo.com/ From shiflett at php.net Fri Sep 2 12:50:46 2005 From: shiflett at php.net (Chris Shiflett) Date: Fri, 02 Sep 2005 12:50:46 -0400 Subject: [nycphp-talk] PHP Form Validation In-Reply-To: <296BEAE9-A9E9-47C3-BA51-F43B9C856EED@billyreisinger.com> References: <006701c5af14$7429f280$11a8a8c0@cliff> <4317828E.5030206@php.net> <296BEAE9-A9E9-47C3-BA51-F43B9C856EED@billyreisinger.com> Message-ID: <431882E6.8010905@php.net> Billy Reisinger wrote: > Correct me if I'm wrong here, folks, but using a $_POST['variable'] > directly in a form is no more or less vulnerable to attack than > using a different variable that is a reference to a $_POST variable. That's right. In other words, the following is an example of a cross-site scripting vulnerability if $username is tainted: echo "

Welcome, $username!

"; It's very easy to make a mistake that taints a variable without being obvious. For example, sometimes data is massaged several times before being used: $user = $_POST['user']; /* ... */ $user_array = explode(',', $user); /* ... */ $name = $user_array[3]; /* ... */ list($first_name, $last_name) = explode(' ', $name); /* ... */ echo "

Welcome, $first_name!

"; That's the best example I can think of on the fly. :-) The point is that it's very easy to make a mistake - we all do it. That's the main reason why I try to adhere to practices that can help me make fewer mistakes. I use $_POST sometimes in articles and talks just to make it obvious that the data is tainted and to make the example attacks simple and straightforward. That's why it's disappointing to see an article with such an obvious vulnerability. > If you want to carry over form values after errors or across > multiple form pages (i.e. preserve state), you have to reference > these $_POST variables eventually, in some form or fashion. In > this sense, ALL forms are vulnerable to hacks. That's definitely not true. Consider a username form field. This is basically what the article in question recommends: Contrast that with this: There's an enormous difference between the two. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From max at neuropunks.org Fri Sep 2 13:48:13 2005 From: max at neuropunks.org (max) Date: Fri, 2 Sep 2005 12:48:13 -0500 Subject: [nycphp-talk] PHP Form Validation In-Reply-To: <431882E6.8010905@php.net> References: <006701c5af14$7429f280$11a8a8c0@cliff> <4317828E.5030206@php.net> <296BEAE9-A9E9-47C3-BA51-F43B9C856EED@billyreisinger.com> <431882E6.8010905@php.net> Message-ID: <20050902174813.GA33766@neuropunks.org> This is what I usually use to clean forms I *know* should not contain html/scripting. The only problem is restrictive regexp which won't let you use say ! as part of a password. Just thought someone might find it usefull.. Pretty basic code really. if ($_POST){ $post = input_process($_POST); echo ""; } function input_process ($array) { if (count($array) > 0) { foreach ($array as $key=>$value) { trim($key); trim($value); validate($key); validate($value); $config["$key"] = $value; } return $config; } else { return $array; } } function validate ($string) { if ($string != "") { if (ereg('[^a-zA-Z0-9\@\.\_\/\ \-]', $string)) { echo "Invalid input $string"; return false; } else { return $string; } } else { return $string; } } On Fri, Sep 02, 2005 at 12:50:46PM -0400, Chris Shiflett wrote: > Billy Reisinger wrote: > > Correct me if I'm wrong here, folks, but using a $_POST['variable'] > > directly in a form is no more or less vulnerable to attack than > > using a different variable that is a reference to a $_POST variable. > > That's right. In other words, the following is an example of a > cross-site scripting vulnerability if $username is tainted: > > echo "

Welcome, $username!

"; > > It's very easy to make a mistake that taints a variable without being > obvious. For example, sometimes data is massaged several times before > being used: > > $user = $_POST['user']; > > /* ... */ > > $user_array = explode(',', $user); > > /* ... */ > > $name = $user_array[3]; > > /* ... */ > > list($first_name, $last_name) = explode(' ', $name); > > /* ... */ > > echo "

Welcome, $first_name!

"; > > That's the best example I can think of on the fly. :-) > > The point is that it's very easy to make a mistake - we all do it. > That's the main reason why I try to adhere to practices that can help me > make fewer mistakes. > > I use $_POST sometimes in articles and talks just to make it obvious > that the data is tainted and to make the example attacks simple and > straightforward. That's why it's disappointing to see an article with > such an obvious vulnerability. > > > If you want to carry over form values after errors or across > > multiple form pages (i.e. preserve state), you have to reference > > these $_POST variables eventually, in some form or fashion. In > > this sense, ALL forms are vulnerable to hacks. > > That's definitely not true. Consider a username form field. This is > basically what the article in question recommends: > > name="username" > value="" /> > > Contrast that with this: > > > header('Content-Type: text/html; charset=UTF-8'); > > $clean = array(); > $html = array(); > > if (isset($_POST['username'] && > ctype_alnum($_POST['username'])) > { > $clean['username'] = $_POST['username']; > } > else > { > $clean['username'] = ''; > } > > $html['username'] = htmlentities($clean['username'], > ENT_QUOTES, > 'UTF-8'); > > ?> > name="username" > value="" /> > > There's an enormous difference between the two. > > Chris > > -- > Chris Shiflett > Brain Bulb, The PHP Consultancy > http://brainbulb.com/ > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From shiflett at php.net Fri Sep 2 14:02:59 2005 From: shiflett at php.net (Chris Shiflett) Date: Fri, 02 Sep 2005 14:02:59 -0400 Subject: [nycphp-talk] PHP Form Validation In-Reply-To: <20050902174813.GA33766@neuropunks.org> References: <006701c5af14$7429f280$11a8a8c0@cliff> <4317828E.5030206@php.net> <296BEAE9-A9E9-47C3-BA51-F43B9C856EED@billyreisinger.com> <431882E6.8010905@php.net> <20050902174813.GA33766@neuropunks.org> Message-ID: <431893D3.7020109@php.net> max wrote: > The only problem is restrictive regexp which won't > let you use say ! as part of a password. I never filter passwords like that - as long as you use the MD5 of something as your filtered password, you're pretty safe, because it's alphanumeric. This lets people use anything they want. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From jbaltz at altzman.com Fri Sep 2 14:20:14 2005 From: jbaltz at altzman.com (Jerry B. Altzman) Date: Fri, 02 Sep 2005 14:20:14 -0400 Subject: [nycphp-talk] PHP Form Validation In-Reply-To: <431893D3.7020109@php.net> References: <006701c5af14$7429f280$11a8a8c0@cliff> <4317828E.5030206@php.net> <296BEAE9-A9E9-47C3-BA51-F43B9C856EED@billyreisinger.com> <431882E6.8010905@php.net> <20050902174813.GA33766@neuropunks.org> <431893D3.7020109@php.net> Message-ID: <431897DE.1010001@altzman.com> On 9/2/2005 2:02 PM, Chris Shiflett wrote: > max wrote: >>The only problem is restrictive regexp which won't >>let you use say ! as part of a password. > I never filter passwords like that - as long as you use the MD5 of > something as your filtered password, you're pretty safe, because it's > alphanumeric. This lets people use anything they want. In fact, using a hash of a password instead of the password itself has a number of advantages: 1) The database column is always fixed-length -- a nice to have if you can have it. 2) You can have a pass *phrase* not just a pass *word* -- makes remembering much easier. 3) YOu don't store in your database plaintext (which you shouldn't be doing anyway -- either you hash the password itself, or if you MUST have access to the original, crypt it and decrypt it in the DB. > Chris //jbaltz -- jerry b. altzman jbaltz at altzman.com KE3ML thank you for contributing to the heat death of the universe. From bpilgrim1979 at gmail.com Fri Sep 2 17:10:16 2005 From: bpilgrim1979 at gmail.com (Billy Pilgrim) Date: Fri, 2 Sep 2005 17:10:16 -0400 Subject: [nycphp-talk] PHP Form Validation In-Reply-To: <431897DE.1010001@altzman.com> References: <006701c5af14$7429f280$11a8a8c0@cliff> <4317828E.5030206@php.net> <296BEAE9-A9E9-47C3-BA51-F43B9C856EED@billyreisinger.com> <431882E6.8010905@php.net> <20050902174813.GA33766@neuropunks.org> <431893D3.7020109@php.net> <431897DE.1010001@altzman.com> Message-ID: <6ee3253b05090214106fe7549@mail.gmail.com> With md5, you can also setup a non-ssl secure login. http://pajhome.org.uk/crypt/md5/index.html Yahoo Mail uses this approach for non-ssl logins. (You can view source to see the pajhome.org javascript library.) BP From kigathi at gmail.com Sat Sep 3 02:34:19 2005 From: kigathi at gmail.com (Eric K.) Date: Sat, 3 Sep 2005 02:34:19 -0400 Subject: [nycphp-talk] SVN questions: incremental save using file changes/deltas & Message-ID: During the last NYPHP Andrew & Jeff gave an interesting talk on SVN which left me with a couple of questions... 1) One of SVN's advantages was that it only saves file deltas and not a copy of the file. Isn't this unsafe? What if some newbie sysadmin(!!) botches my original file or one of my early commits, won't that invalidated all my subsequent commits 2) Is there a shortcut to speed up development or must I duplicate the entire server/dev environment in every developer's workspace? -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew at plexpod.com Sat Sep 3 08:59:52 2005 From: andrew at plexpod.com (Andrew Yochum) Date: Sat, 3 Sep 2005 08:59:52 -0400 Subject: [nycphp-talk] SVN questions: incremental save using file changes/deltas & In-Reply-To: References: Message-ID: <200509030859.52671.andrew@plexpod.com> On Saturday 03 September 2005 02:34, Eric K. wrote: > During the last NYPHP Andrew & Jeff gave an interesting talk on SVN which > left me with a couple of questions... > > 1) One of SVN's advantages was that it only saves file deltas and not a > copy of the file. Isn't this unsafe? What if some newbie sysadmin(!!) > botches my original file or one of my early commits, won't that invalidated > all my subsequent commits A version repository is no substitution for backups. The chances of this happening are the same for any other applications or data stored on your system. How often does your new sysadmin blow away files in /var/lib/mysql? or /var/www/? Botching or taking just 1 file out of either may completely render them useless. Remember that you have a local snapshot of your repos in the form of a checkout. But maintaining backups will ensure your data will be safe. Even so, if your sysadmin continues to botch your files, find a new sysadmin :-) > 2) Is there a shortcut to speed up development or must I duplicate the > entire server/dev environment in every developer's workspace? One suggestion is to use a virtual host and docroot per developer on a centralized development server. This method fits right in with Hans' presentation using Eclipse as a remote editor, while keeping systems potentially development systems configurations limited to one box, reducing the effort required to create new ones. HTH, Andrew -- Andrew Yochum Plexpod andrew at plexpod.com 718-360-0879 -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew at plexpod.com Sat Sep 3 09:37:49 2005 From: andrew at plexpod.com (Andrew Yochum) Date: Sat, 3 Sep 2005 09:37:49 -0400 Subject: [nycphp-talk] SVN questions: incremental save using file changes/deltas & In-Reply-To: <200509030859.52671.andrew@plexpod.com> References: <200509030859.52671.andrew@plexpod.com> Message-ID: <200509030937.49133.andrew@plexpod.com> On Saturday 03 September 2005 08:59, Andrew Yochum wrote: > This method fits right in with Hans' > presentation using Eclipse as a remote editor, while keeping systems > potentially development systems configurations limited to one box, reducing > the effort required to create new ones. Yeah, I foobar'ed that. Should've read: This method fits right in with Hans' presentation using Eclipse as a remote editor, while keeping development systems configurations limited to one box, reducing the effort required to create new ones. -- Andrew Yochum Plexpod andrew at plexpod.com 718-360-0879 From chsnyder at gmail.com Sat Sep 3 09:41:00 2005 From: chsnyder at gmail.com (csnyder) Date: Sat, 3 Sep 2005 09:41:00 -0400 Subject: [nycphp-talk] SVN questions: incremental save using file changes/deltas & In-Reply-To: References: Message-ID: On 9/3/05, Eric K. wrote: > 2) Is there a shortcut to speed up development or must I duplicate the > entire server/dev environment in every developer's workspace? In his Eclipse demo Hans really bashed VNC for development, but I've had great results using it to allow a small team to do work directly on a development server from their own workstations. It's definitely recommended over sftp or WebDAV for development on the same LAN, just as those technologies are more useful when working remotely. But there's another angle to this: a well-planned project should be easy to deploy. If each developer has to install XAMPP, edit their local Apache config, create and initialize the database, and create a local configuration file before they can start hacking the code, you will collectively figure out how to streamline the process early on. Document the install process and put it in a docs folder in your project, along with an sql dump of the database structure and whatever test data you work with. (Or use a remote connection to a single database.) One thing I would add to J and A's presentation: don't put your local configuration file (the one that sets paths to things) under version control. If you have something like conf/config.php, move it to conf/config-dist.php before importing your code into subversion. After you check out the first working copy, and recreate the local configuration at conf/config.php, you should (for safety's sake) tell subversion to ignore that file from now on: svn propedit svn:ignore conf ...tells svn you want to edit the ignore property of the conf directory. Svn opens an editor, to which you can add the single line: config.php Once you commit the property change, svn will ignore conf/config.php so that someone can't accidentally add it and overwrite everyone else's local configs. For more on svn:ignore, see http://svnbook.red-bean.com/en/1.1/ch07s02.html#svn-ch-7-sect-2.3.3 -- Chris Snyder http://chxo.com/ From ps at pswebcode.com Sat Sep 3 11:03:26 2005 From: ps at pswebcode.com (Peter Sawczynec) Date: Sat, 3 Sep 2005 11:03:26 -0400 Subject: [nycphp-talk] PHP Form Validation In-Reply-To: <6ee3253b05090214106fe7549@mail.gmail.com> Message-ID: <001201c5b098$a679b9c0$6500a8c0@Liz> An Unnecessary Diversion That Requires No Attention Thirty years ago an alarm on a car was an outrageous extravagance, 15 years ago a moderately-priced optional add-on. Today, comes from the factory pre-installed. Who would expect less? Wouldn't it be nice if in the near future, in the general discussion of programming languages one of the finer selling points of why use PHP would be: "PHP makes it exceptionally hard for even a novice to code insecurely. It is literally one of the best for security. Hands down. That is a general industry consensus." This dialogue about form handling, the difficulties and solutions offered here absolutely positively should be offered in the php.net general introduction along with these other hypothetically named sections such as: "For novice: The secure PHP install. Execute steps 1-10, period. Don't ask any questions just do it this way", "For advanced: The fully-locked down php.ini, a freshened standard in scripting language security", "Changing to secure form code now", "Understanding the unsafe chasm in an HTTP to PHP communications transfer", "Extremely compromising errors display should be turned off by default, and logging to file into an default errs directory should be the default.", "Try the new phpMyErrs versatile errors log viewer works like phpMyAdmin is to MySQL. (Maybe can look into Apache err logs too.)", "Introducing the watch_this_script() function (superseding the less intuitively named error_log()) that accepts a valid email address as an nth parameter and if put at the top of a script page will email date, time and all errors on that script with line number(s) automatically. How about a baldly named recent_ten_errs(). Both work from anywhere, at any time like phpinfo().", "Introducing the mandatory retrieve_safe_post_data() that accepts a non-optional array of the variables expected (and that you would have to modify the php.ini to not use this function) and a the new standardized safe_email function that is quite strict and strips out all the really in your face bad strings (unless you provide an exceptions white list). That both of these function would even throw security_errors when they do catch stuff and have an optional nth parameter of the email address that should get the date, time and errors notifications.", And all this might be commingled with the very exciting and brand new to PHP6: "How the new PHP6 acts as a pseudo-streaming media server with the new: stream_media functions family." "The new get_time_by_long_and_latitude() and/or get_time_by_city() functions that have daylight savings, leap year, procession of the stars (kidding) built-in." "''" I have just finished una semana dif?cil. But truly thank you to all -- many so tremendously gifted who contribute to this endless conversational venture. Someone once mused: be careful, the more you use it, the more you can get used. Seems to apply quite aptly to all digital tools and functions. Peter -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Billy Pilgrim Sent: Friday, September 02, 2005 5:10 PM To: NYPHP Talk Subject: Re: [nycphp-talk] PHP Form Validation With md5, you can also setup a non-ssl secure login. http://pajhome.org.uk/crypt/md5/index.html Yahoo Mail uses this approach for non-ssl logins. (You can view source to see the pajhome.org javascript library.) BP _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From bpilgrim1979 at gmail.com Sat Sep 3 16:27:48 2005 From: bpilgrim1979 at gmail.com (Billy Pilgrim) Date: Sat, 3 Sep 2005 16:27:48 -0400 Subject: [nycphp-talk] PHP Form Validation In-Reply-To: <001201c5b098$a679b9c0$6500a8c0@Liz> References: <6ee3253b05090214106fe7549@mail.gmail.com> <001201c5b098$a679b9c0$6500a8c0@Liz> Message-ID: <6ee3253b05090313276e581da6@mail.gmail.com> On 9/3/05, Peter Sawczynec wrote: > "For advanced: The fully-locked down php.ini, a freshened standard in > scripting language security", http://us3.php.net/manual/en/install.unix.php 13. Setup your php.ini file: cp php.ini-dist /usr/local/lib/php.ini You may edit your .ini file to set PHP options. If you prefer your php.ini in another location, use --with-config-file-path=/some/path in step 10. If you instead choose php.ini-recommended, be certain to read the list of changes within, as they affect how PHP behaves. From bpilgrim1979 at gmail.com Sat Sep 3 16:44:31 2005 From: bpilgrim1979 at gmail.com (Billy Pilgrim) Date: Sat, 3 Sep 2005 16:44:31 -0400 Subject: [nycphp-talk] SVN questions: incremental save using file changes/deltas & In-Reply-To: References: Message-ID: <6ee3253b050903134431d7532c@mail.gmail.com> On 9/3/05, Eric K. wrote: > 1) One of SVN's advantages was that it only saves file deltas and not a > copy of the file. Isn't this unsafe? What if some newbie sysadmin(!!) > botches my original file or one of my early commits, won't that invalidated > all my subsequent commits This question is immaterial because neither developers nor repository administrators have anything to do with the internal file deltas, etc. A sysadmin installs subversion and then the subversion handles commits--a "newbie sysadmin" isn't personally involved in any commit, "original file", etc. This question just doesn't make sense. Subversion just doesn't work that way. :) Also, your svn repos should be FSFS, not Berkeley. http://svnbook.red-bean.com/en/1.1/ch05.html#svn-ch-5-sect-1.3 > 2) Is there a shortcut to speed up development or must I duplicate the > entire server/dev environment in every developer's workspace? If you're using subversion, you should WANT to have separate dev environments. Then files are shared through subversion. But if your dev team wants to edit the same files on a live webroot with Windows Map a Network Drive, you are welcome to do that too. :P BP From phil at bearingasset.com Sun Sep 4 10:44:59 2005 From: phil at bearingasset.com (Phil Duffy) Date: Sun, 4 Sep 2005 10:44:59 -0400 Subject: [nycphp-talk] Partial Name Lookup Function in PEAR In-Reply-To: <8C77CAA3E05A480-94C-297D@MBLK-M28.sysops.aol.com> Message-ID: <20050904144507.1B0B9A86DE@virtu.nyphp.org> Lee, This is the PEAR-based solution to the question I posed earlier. $personList = & new DataObjects_Person(); $lastNamePattern = $input->person->last_name; $lastNamePattern = addslashes($lastNamePattern) . '%'; $personList->whereAdd("last_name LIKE '$lastNamePattern'"); $personList->orderBy('last_name'); $result = $personList->find(); Many thanks for your prompt, excellent suggestion. It started me on the right path and allowed me to pose a specific question to the Seagull community, which provided an insight. Phil _____ From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of leeeyerman at aol.com Sent: Wednesday, August 31, 2005 8:19 PM To: talk at lists.nyphp.org Subject: Re: [nycphp-talk] Partial Name Lookup Function in PEAR I do not know about PEAR but if you are just trying to look up a first or last name (or anything other name/text) using only a partial piece of information the LIKE command is best. SELECT "column" FROM "table" WHERE "column_name" LIKE [PATTERN] ie. SELECT * FROM pics WHERE pic_name LIKE '%ANG%' This would return all pic_name where ANG is contained in the string. http://www.1keydata.com/sql/sqllike.html http://www.techonthenet.com/sql/like.php -----Original Message----- From: Phil Duffy To: 'NYPHP Talk' Sent: Wed, 31 Aug 2005 21:05:48 -0400 Subject: [nycphp-talk] Partial Name Lookup Function in PEAR Does PEAR offer a partial name lookup function? What is the best way to do a partial name lookup in a database-independent manner? If I must drop back to hard-coded MySQL calls, is the LOCATE() function the appropriate one to use in this situation? Any responses will be appreciated, including advice to direct these questions to another list. Phil Duffy _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at jobsforge.com Sun Sep 4 11:25:05 2005 From: matt at jobsforge.com (Matthew Terenzio) Date: Sun, 4 Sep 2005 11:25:05 -0400 Subject: [nycphp-talk] HTML_QuickForm name attribute Message-ID: <87aa9364c0c5a76122269e63a691512b@jobsforge.com> I see that HTML_Quick_Form adds the name attribute to the form but xhtml1.0 strict doesn't support that attribute. I was thinking of hacking up the class. Does anyone know off hand whether there would be any problems without it? Matt From lists at zaunere.com Sun Sep 4 18:44:05 2005 From: lists at zaunere.com (Hans Zaunere) Date: Sun, 4 Sep 2005 18:44:05 -0400 Subject: [nycphp-talk] SVN questions: incremental save using filechanges/deltas & In-Reply-To: Message-ID: <0MKoyl-1EC3Db1GrL-0006eC@mrelay.perfora.net> csnyder wrote on Saturday, September 03, 2005 9:41 AM: > On 9/3/05, Eric K. wrote: > > > 2) Is there a shortcut to speed up development or must I duplicate the > > entire server/dev environment in every developer's workspace? > > In his Eclipse demo Hans really bashed VNC for development, but I've Well, ok... > had great results using it to allow a small team to do work directly > on a development server from their own workstations. It's definitely > recommended over sftp or WebDAV for development on the same LAN, just > as those technologies are more useful when working remotely. I don't know if I'd agree actually. Depending on the operating system and user preference, pinning developers to a single platform by way of remote desktops can be troublesome, which is one of my primary objections. > But there's another angle to this: a well-planned project should be > easy to deploy. If each developer has to install XAMPP, edit their > local Apache config, create and initialize the database, and create a > local configuration file before they can start hacking the code, you > will collectively figure out how to streamline the process early on. > > Document the install process and put it in a docs folder in your > project, along with an sql dump of the database structure and whatever > test data you work with. (Or use a remote connection to a single > database.) > > One thing I would add to J and A's presentation: don't put your local > configuration file (the one that sets paths to things) under version > control. > > If you have something like conf/config.php, move it to > conf/config-dist.php before importing your code into subversion. After > you check out the first working copy, and recreate the local > configuration at conf/config.php, you should (for safety's sake) tell > subversion to ignore that file from now on: > > svn propedit svn:ignore conf > > ...tells svn you want to edit the ignore property of the conf > directory. Svn opens an editor, to which you can add the single line: > > config.php > > Once you commit the property change, svn will ignore conf/config.php > so that someone can't accidentally add it and overwrite everyone > else's local configs. For more on svn:ignore, see > http://svnbook.red-bean.com/en/1.1/ch07s02.html#svn-ch-7-sect-2.3.3 That's a great outline of the process for ignoring files, etc. --- Hans Zaunere President, Founder New York PHP http://www.nyphp.org AMP Technology Supporting Apache, MySQL and PHP From lists at zaunere.com Sun Sep 4 19:04:33 2005 From: lists at zaunere.com (Hans Zaunere) Date: Sun, 4 Sep 2005 19:04:33 -0400 Subject: [nycphp-talk] PHP Form Validation In-Reply-To: <6ee3253b05090313276e581da6@mail.gmail.com> Message-ID: <0MKoyl-1EC3XO3yhk-0006r9@mrelay.perfora.net> Billy Pilgrim wrote on Saturday, September 03, 2005 4:28 PM: > On 9/3/05, Peter Sawczynec wrote: > > "For advanced: The fully-locked down php.ini, a freshened standard in > > scripting language security", > > http://us3.php.net/manual/en/install.unix.php > > 13. Setup your php.ini file: > > cp php.ini-dist /usr/local/lib/php.ini > > You may edit your .ini file to set PHP options. If you prefer your > php.ini in another location, use --with-config-file-path=/some/path in > step 10. > > If you instead choose php.ini-recommended, be certain to read the list > of changes within, as they affect how PHP behaves. php.ini-recommended does change behavior, but it's the correct behavior. Code should be written to work under the settings contained within php.ini-recommended. In fact, the first thing I do on all PHP installs is to cp php.ini-recommended to php.ini in the proper directory. Using php.ini-recommended provides for better security, performance, and eliminates many of the idiosyncrasies that PHP has seen over the years. H From brettstil at gmail.com Sun Sep 4 23:33:35 2005 From: brettstil at gmail.com (Brett Stilwell) Date: Sun, 4 Sep 2005 23:33:35 -0400 Subject: [nycphp-talk] SVN questions: incremental save using file changes/deltas & In-Reply-To: References: Message-ID: <4048d2ca05090420331f8cb043@mail.gmail.com> On 9/3/05, csnyder wrote: > But there's another angle to this: a well-planned project should be > easy to deploy. If each developer has to install XAMPP, edit their > local Apache config, create and initialize the database, and create a > local configuration file before they can start hacking the code, you > will collectively figure out how to streamline the process early on. > > Document the install process and put it in a docs folder in your > project, along with an sql dump of the database structure and whatever > test data you work with. (Or use a remote connection to a single > database.) Absolutely. Every developer should understand how AMP is setup. How php.ini and httpd.conf are configured. etc. Every developer should be required to install his own dev station based on the dev team docs. Once that is understood, source control really comes into play with local working copies vs commited files, branches for bug fixing vs new release, version release tags, etc. BP From mikko.rantalainen at peda.net Mon Sep 5 04:12:31 2005 From: mikko.rantalainen at peda.net (Mikko Rantalainen) Date: Mon, 05 Sep 2005 11:12:31 +0300 Subject: [nycphp-talk] Partial Name Lookup Function in PEAR In-Reply-To: <20050904144507.1B0B9A86DE@virtu.nyphp.org> References: <20050904144507.1B0B9A86DE@virtu.nyphp.org> Message-ID: <431BFDEF.4010805@peda.net> Phil Duffy wrote: > This is the PEAR-based solution to the question I posed earlier. > > $personList = & new DataObjects_Person(); > $lastNamePattern = $input->person->last_name; > $lastNamePattern = addslashes($lastNamePattern) . '%'; Is this safe? I thought you were supposed to use mysql_real_escape_string() with MySQL and pg_escape_string() with PostgreSQL and something else with other database engines. Code that uses DB_DataObject should use following code instead if I've understood correctly: $lastNamePattern = $personList->escape($lastNamePattern) . '%'; Documentation: http://pear.php.net/manual/en/package.database.db-dataobject.db-dataobject.escape.php > $personList->whereAdd("last_name LIKE '$lastNamePattern'"); > $personList->orderBy('last_name'); > $result = $personList->find(); Am I the only one wondering if using OO-interface is really LESS error prone or EASIER than just writing the SQL queries by myself. At least, with interface like this... -- Mikko From ps at pswebcode.com Mon Sep 5 07:46:56 2005 From: ps at pswebcode.com (Peter Sawczynec) Date: Mon, 5 Sep 2005 07:46:56 -0400 Subject: [nycphp-talk] PHP Form Validation In-Reply-To: <0MKoyl-1EC3XO3yhk-0006r9@mrelay.perfora.net> Message-ID: <000301c5b20f$87e67c50$6500a8c0@Liz> I knew I'd looked through the "php.ini-recommended" before and I did not find it thorough, so for the purposes of this discussion I just reviewed it again and I still find: open_basedir = "" [is not set], allow_url_fopen = On, expose_php = On, safe_mode = off, track_errors = Off, All these settings should be reversed for the default. Open_basedir must be set. Like I said, out of the box with all restrictions and let admins turn on features only as needed. Apache also has several little canoodles in the conf, e.g.: ServerSignature On. Specifying Listen should probably be mandatory. Peter -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Hans Zaunere Sent: Sunday, September 04, 2005 7:05 PM To: 'NYPHP Talk' Subject: Re: [nycphp-talk] PHP Form Validation Billy Pilgrim wrote on Saturday, September 03, 2005 4:28 PM: > On 9/3/05, Peter Sawczynec wrote: > > "For advanced: The fully-locked down php.ini, a freshened standard > > in scripting language security", > > http://us3.php.net/manual/en/install.unix.php > > 13. Setup your php.ini file: > > cp php.ini-dist /usr/local/lib/php.ini > > You may edit your .ini file to set PHP options. If you prefer your > php.ini in another location, use --with-config-file-path=/some/path in > step 10. > > If you instead choose php.ini-recommended, be certain to read the list > of changes within, as they affect how PHP behaves. php.ini-recommended does change behavior, but it's the correct behavior. Code should be written to work under the settings contained within php.ini-recommended. In fact, the first thing I do on all PHP installs is to cp php.ini-recommended to php.ini in the proper directory. Using php.ini-recommended provides for better security, performance, and eliminates many of the idiosyncrasies that PHP has seen over the years. H _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From phil at bearingasset.com Mon Sep 5 08:35:27 2005 From: phil at bearingasset.com (Phil Duffy) Date: Mon, 5 Sep 2005 08:35:27 -0400 Subject: [nycphp-talk] Partial Name Lookup Function in PEAR In-Reply-To: <431BFDEF.4010805@peda.net> Message-ID: <20050905123544.B0F21A86E8@virtu.nyphp.org> Mikko, Thanks for your observation. I see your point and have made the change. Phil -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Mikko Rantalainen Sent: Monday, September 05, 2005 3:13 AM To: NYPHP Talk Subject: Re: [nycphp-talk] Partial Name Lookup Function in PEAR Phil Duffy wrote: > This is the PEAR-based solution to the question I posed earlier. > > $personList = & new DataObjects_Person(); > $lastNamePattern = $input->person->last_name; > $lastNamePattern = addslashes($lastNamePattern) . '%'; Is this safe? I thought you were supposed to use mysql_real_escape_string() with MySQL and pg_escape_string() with PostgreSQL and something else with other database engines. Code that uses DB_DataObject should use following code instead if I've understood correctly: $lastNamePattern = $personList->escape($lastNamePattern) . '%'; Documentation: http://pear.php.net/manual/en/package.database.db-dataobject.db-dataobject.e scape.php > $personList->whereAdd("last_name LIKE '$lastNamePattern'"); > $personList->orderBy('last_name'); > $result = $personList->find(); Am I the only one wondering if using OO-interface is really LESS error prone or EASIER than just writing the SQL queries by myself. At least, with interface like this... -- Mikko _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From chsnyder at gmail.com Mon Sep 5 09:40:37 2005 From: chsnyder at gmail.com (csnyder) Date: Mon, 5 Sep 2005 09:40:37 -0400 Subject: [nycphp-talk] HTML_QuickForm name attribute In-Reply-To: <87aa9364c0c5a76122269e63a691512b@jobsforge.com> References: <87aa9364c0c5a76122269e63a691512b@jobsforge.com> Message-ID: On 9/4/05, Matthew Terenzio wrote: > > I see that HTML_Quick_Form adds the name attribute to the form but > xhtml1.0 strict doesn't support that attribute. > I was thinking of hacking up the class. > > Does anyone know off hand whether there would be any problems without > it? > > Matt Unless you really need XHTML Strict for some reason you could save yourself a lot of trouble and use XHTML Transitional. Have you tried using forms without name attributes? In my experience they don't actually work yet. From shiflett at php.net Mon Sep 5 11:20:50 2005 From: shiflett at php.net (Chris Shiflett) Date: Mon, 05 Sep 2005 11:20:50 -0400 Subject: [nycphp-talk] PHP Form Validation In-Reply-To: <000301c5b20f$87e67c50$6500a8c0@Liz> References: <000301c5b20f$87e67c50$6500a8c0@Liz> Message-ID: <431C6252.5000507@php.net> Peter Sawczynec wrote: > I knew I'd looked through the "php.ini-recommended" before and I did not > find it thorough, so for the purposes of this discussion I just reviewed > it again and I still find: > > open_basedir = "" [is not set], > allow_url_fopen = On, > expose_php = On, > safe_mode = off, > track_errors = Off, > > All these settings should be reversed for the default. While open_basedir is a good thing to set, there's no way a default config file that comes bundled with the distribution can specify a value that fits everyone's needs. This is something that needs to remain as is. Disabling expose_php would seriously hurt the usage graph, so that's unlikely to happen. I'm not saying the PHP Group is more concerned with marketing than security, but there is very little to be gained by disabling this, so there's really no point. A little obscurity never hurts, but it's not worth much. The safe_mode directive needs to go. I would hate to see that enabled by default. I'd rather see it not in the config file at all. This is a likely scenario for PHP 6.0. In exchange, hosts can utilize open_basedir and disable_functions, and perhaps the config file can have some commented lines with suggestions. > Apache also has several little canoodles in the conf, e.g.: > ServerSignature On. Same as above. A little bit of obscurity has a little bit of value, but it's not worth "hiding" the fact that so many people use Apache and PHP. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From chsnyder at gmail.com Mon Sep 5 13:52:04 2005 From: chsnyder at gmail.com (csnyder) Date: Mon, 5 Sep 2005 13:52:04 -0400 Subject: [nycphp-talk] PHP Form Validation In-Reply-To: <431C6252.5000507@php.net> References: <000301c5b20f$87e67c50$6500a8c0@Liz> <431C6252.5000507@php.net> Message-ID: On 9/5/05, Chris Shiflett wrote: > A little bit of obscurity has a little bit of value, but > it's not worth "hiding" the fact that so many people use Apache and PHP. Yep. Turning off the product signatures is important if you want to hide version information from your clients or your boss, and it might protect you from casual scans via Google. But there's nothing to stop an attacking 'bot from discovering the version levels on its own, by trying known vulnerabilities. From dmintz at davidmintz.org Mon Sep 5 15:29:43 2005 From: dmintz at davidmintz.org (David Mintz) Date: Mon, 5 Sep 2005 15:29:43 -0400 (EDT) Subject: [nycphp-talk] to __autoload or not to __autoload? Message-ID: If you use HTML_QuickForm with a PHP5 __autoload() function such as the following... function __autoload($class) { include_once(str_replace('_',DIRECTORY_SEPARATOR,$class).'.php'); } ...you can get burned by a line in RuleRegistry.php that depends on PHP4 classname insensitivity where it tests whether something is_a('lowercase_classname') if (is_a($element, 'html_quickform_group')) { /* ... */ } And it seems that there has been some controversy over whether this is a bug requiring fixing, or the user's problem (http://marc.theaimsgroup.com/?l=pear-dev&m=112241111400053&w=2 etc). In my case it won't be a problem if I either fix this line myself, or stop using __autoload(). But an __autoload() is also going to fail where classes are bundled in the same file, which in some cases is not an unreasonable thing to do, imho. So I am wondering what people's thoughts are about __autoload() generally. Do you? Why or why not? --- David Mintz http://davidmintz.org/ From lists at zaunere.com Mon Sep 5 23:00:31 2005 From: lists at zaunere.com (Hans Zaunere) Date: Mon, 5 Sep 2005 23:00:31 -0400 Subject: [nycphp-talk] SVN questions: incremental save using filechanges/deltas & In-Reply-To: Message-ID: <0MKoyl-1ECThK0Hhg-0001o7@mrelay.perfora.net> Eric K. wrote on Saturday, September 03, 2005 2:34 AM: > During the last NYPHP Andrew & Jeff gave an interesting talk on SVN which > left me with a couple of questions... > > 1) One of SVN's advantages was that it only saves file deltas and not a > copy of the file. Isn't this unsafe? What if some newbie sysadmin(!!) > botches my original file or one of my early commits, won't that > invalidated all my subsequent commits As Andrew points out, svn isn't a backup, recovery, or retention solution. In fact, it could be considered a point of vulnerability, just like any other source repository. There are two things well protected in this world: Microsoft's and Oracle's source repositories. Seriously though, the SVN server should have a regular backup routine, and it's always a good idea to keep at least 5 days of backups. Basically the facets of any good backup strategy - geographic duplicity, off-site archival, retention, etc. - all apply here. > 2) Is there a shortcut to speed up development or must I duplicate the > entire server/dev environment in every developer's workspace? This is basically what my presentation covered, and we'll get those slides online soon. The short version is that by using a combination of technologies - Windows XP, Eclipse, WebDrive, and either WebDAV, SFTP or even FTP - a team of developers can work on a single server. This has a couple of key advantages: -- no need to recreate the dev environment multiple times -- no code/environment drift. Even if you set up environments exactly the same, it's inevitable that the developers will want to tweak their settings, resulting in unexpected results when deployed. -- developers can use the platform of their choice as a workstation, whether it be Windows, Mac or UNIX --- Hans Zaunere / President / New York PHP www.nyphp.com From greg.rundlett at gmail.com Tue Sep 6 21:38:45 2005 From: greg.rundlett at gmail.com (Greg Rundlett) Date: Tue, 6 Sep 2005 21:38:45 -0400 Subject: [nycphp-talk] to __autoload or not to __autoload? In-Reply-To: References: Message-ID: <5e2aaca4050906183827cf3e8a@mail.gmail.com> On 9/5/05, David Mintz wrote: > > > So I am wondering what people's thoughts are about __autoload() generally. > Do you? Why or why not? I don't use it. I want to know specifically what classes I'm loading, and add comments about why I'm loading them if it's not obvious. Others might argue that it makes life easier, but it doesn't make life easy for users/developers who use your code, and searching for what library defines some class. If somebody insists that it's a language feature, and makes use of that feature for convenience, then I hope that they also consider documentation a feature, and make use of that convenience too. ;-) -------------- next part -------------- An HTML attachment was scrubbed... URL: From cliff at pinestream.com Wed Sep 7 09:45:25 2005 From: cliff at pinestream.com (Cliff Hirsch) Date: Wed, 7 Sep 2005 09:45:25 -0400 Subject: [nycphp-talk] Favorite PEAR Packages In-Reply-To: <6ee3253b05090214106fe7549@mail.gmail.com> Message-ID: <000b01c5b3b2$66880cf0$11a8a8c0@cliff> Every time I look at PEAR packages, I think, "wow that sure would have saved me some time." Then, when I dig deeper, I see that the package is in alpha, or it has no documentation, or the learning curve doesn't appear to be worth the effort, or I worry about customization and extensibility to my specific requirements (such as how committed do I get before I hit the wall with the package) or I worry if the general purpose nature of these packages will cause them to be slow. The latest packages I have looked at that have caused this angst are Structures_DataGrid, HTML_Table, Pager 2.2 and Validate. Although these same general thoughts appear with many other packages such as the mighty HTML Quickform. What packages are your favorites? Would you use them for full blown, large scale custom web applications or smaller "corporate-style" development effort? Any thoughts or experience with extensibility, rendering and performance? Cliff Hirsch From dcech at phpwerx.net Wed Sep 7 10:21:30 2005 From: dcech at phpwerx.net (Dan Cech) Date: Wed, 07 Sep 2005 10:21:30 -0400 Subject: [nycphp-talk] Favorite PEAR Packages In-Reply-To: <000b01c5b3b2$66880cf0$11a8a8c0@cliff> References: <000b01c5b3b2$66880cf0$11a8a8c0@cliff> Message-ID: <431EF76A.1080507@phpwerx.net> Cliff, Firstly let me get one 'pet peeve' off my chest. When creating a new topic please create a new email rather than replying to a list message with a different subject line. For those of us using email clients with threading support this gets really annoying. As for PEAR packages, I use DB on a daily basis at work and would not be without it (or adodb if that's your preference) for any major project. I have also had great success with Mail_Mime for parsing incoming email messages, Spreadsheet_Excel_Writer and XML_RPC. You do sometimes have to get used to doing things 'the PEAR way', but the wealth of pre-developed and tested software is something that is very hard to ignore. Dan Cliff Hirsch wrote: > Every time I look at PEAR packages, I think, "wow that sure would have > saved me some time." Then, when I dig deeper, I see that the package is > in alpha, or it has no documentation, or the learning curve doesn't > appear to be worth the effort, or I worry about customization and > extensibility to my specific requirements (such as how committed do I > get before I hit the wall with the package) or I worry if the general > purpose nature of these packages will cause them to be slow. > > The latest packages I have looked at that have caused this angst are > Structures_DataGrid, HTML_Table, Pager 2.2 and Validate. Although these > same general thoughts appear with many other packages such as the mighty > HTML Quickform. > > What packages are your favorites? Would you use them for full blown, > large scale custom web applications or smaller "corporate-style" > development effort? Any thoughts or experience with extensibility, > rendering and performance? > > Cliff Hirsch From ps at pswebcode.com Thu Sep 8 15:15:18 2005 From: ps at pswebcode.com (Peter Sawczynec) Date: Thu, 8 Sep 2005 15:15:18 -0400 Subject: [nycphp-talk] A SQL Shout Out Message-ID: <000001c5b4a9$b8cbbdc0$6500a8c0@Liz> I simply wanted to give a special notable mention and thanks to O'Reilly's "MySQL Cookbook" which in the last year has handily become my most-referenced reference. And probably has lead me to more effective solutions than any other reference I've stacked around the desk. [I try to solve almost everything first with SQL.] Additionally, I wanted to note that for exploring SQL more deeply as a language I found "The Practical SQL Handbook" and "Joe Celko's SQL for Smarties" elegant, stretching out like seasoned profs. Warmest regards, Peter Sawczynec PSWebcode ps at pswebcode.com 718.796.1951 From dmintz at davidmintz.org Fri Sep 9 17:11:46 2005 From: dmintz at davidmintz.org (David Mintz) Date: Fri, 9 Sep 2005 17:11:46 -0400 (EDT) Subject: [nycphp-talk] PDF mailing labels in PHP 5 Message-ID: I want to generate standard Avery #5160 mailing labels with data from a MySQL db. I have done this using Perl modules but I want to use PHP (can't seem get Perl DBD:mysql installed and communicating with MySQL 4.1) So I tried running the example that comes with the label-making subclass of class.ezpdf.php found at http://www.ros.co.nz/pdf/user.php and the resulting output file is somehow corrupt, but I haven't succeeded in debugging the problem any better than that. I am running PHP 5.0.4. I thought, gee let's try it on a PHP 4 server. Bingo. Question is, to anyone who's familiar with this class, is this a PHP 5 compatibility problem, or is the fact that I was lucky on one box but not the other just luck? Or: does anyone know of another good solution for making labels? I suppose possible solutions are: install PHP 4 to run in cgi mode and use this code as is, or fix it to run under PHP 5. --- David Mintz http://davidmintz.org/ From yournway at gmail.com Fri Sep 9 17:18:46 2005 From: yournway at gmail.com (Alberto dos Santos) Date: Fri, 9 Sep 2005 22:18:46 +0100 Subject: [nycphp-talk] PDF mailing labels in PHP 5 In-Reply-To: Message-ID: Export as csv, import in ms word and do-it? Just joking. Hehe ;-) Alberto > --- > David Mintz > http://davidmintz.org/ > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From prusak at gmail.com Fri Sep 9 17:20:33 2005 From: prusak at gmail.com (Ophir Prusak) Date: Fri, 9 Sep 2005 17:20:33 -0400 Subject: [nycphp-talk] PHP on Windows + MS SQL Server Message-ID: Hi All, I'm working at a windows shop where all of the data is on MS SQL server 2000 (using .asp and .aspx - .net) We're at the point where we're looking into adding PHP into the mix. Up until this point, 99% of my PHP experience is on Linux systems with MySQL, Oracle or PostgreSQL. Any pointers / tips / articles / web sites (etc) I should be looking at that will help me integrate PHP in our windows 2003 + MS SQL 2000 environment as smoothly as possible ? Thanks Ophir From dcech at phpwerx.net Fri Sep 9 17:24:57 2005 From: dcech at phpwerx.net (Dan Cech) Date: Fri, 09 Sep 2005 17:24:57 -0400 Subject: [nycphp-talk] PDF mailing labels in PHP 5 In-Reply-To: References: Message-ID: <4321FDA9.7030009@phpwerx.net> David, I have used the pdf class extensively under php4, but not php5. I'd definitely spend a little time trying to figure out exactly what is going wrong in php5, as it seems this wonderful class is receiving very little of the love it deserves at present. To get some idea of why the output may be munged, you could try using this debugging code: // debugging $pdf->ezText("\n\n".$pdf->messages,10,array('justification'=>'left')); $pdfcode = $pdf->output(1); $pdfcode = str_replace("\n","
\n",htmlspecialchars($pdfcode)); echo ''; echo trim($pdfcode); echo ''; exit(); Dan David Mintz wrote: > I want to generate standard Avery #5160 mailing labels with data from a > MySQL db. I have done this using Perl modules but I want to use PHP (can't > seem get Perl DBD:mysql installed and communicating with MySQL 4.1) > > So I tried running the example that comes with the label-making subclass > of class.ezpdf.php found at http://www.ros.co.nz/pdf/user.php and the > resulting output file is somehow corrupt, but I haven't succeeded in > debugging the problem any better than that. I am running PHP 5.0.4. I > thought, gee let's try it on a PHP 4 server. Bingo. > > Question is, to anyone who's familiar with this class, is this a PHP 5 > compatibility problem, or is the fact that I was lucky on one box but not > the other just luck? > > Or: does anyone know of another good solution for making labels? I > suppose possible solutions are: install PHP 4 to run in cgi mode and use > this code as is, or fix it to run under PHP 5. > > --- > David Mintz > http://davidmintz.org/ From tgales at tgaconnect.com Fri Sep 9 18:06:58 2005 From: tgales at tgaconnect.com (Tim Gales) Date: Fri, 09 Sep 2005 18:06:58 -0400 Subject: [nycphp-talk] PDF mailing labels in PHP 5 In-Reply-To: References: Message-ID: <43220782.2080204@tgaconnect.com> David Mintz writes: ... > > So I tried running the example that comes with the label-making subclass > of class.ezpdf.php found at http://www.ros.co.nz/pdf/user.php and the > resulting output file is somehow corrupt, but I haven't succeeded in > debugging the problem any better than that. I am running PHP 5.0.4. I > thought, gee let's try it on a PHP 4 server. Bingo. > Sorry not familiar with that stuff. But you do have the fonts (in the right place) -- right? -- T. Gales & Associates 'Helping People Connect with Technology' http://www.tgaconnect.com From nestorflorez at earthlink.net Fri Sep 9 19:20:04 2005 From: nestorflorez at earthlink.net (Nestor Florez) Date: Fri, 9 Sep 2005 16:20:04 -0700 (GMT-07:00) Subject: [nycphp-talk] PHP on Windows + MS SQL Server Message-ID: <6531025.1126308004322.JavaMail.root@elwamui-mouette.atl.sa.earthlink.net> When calling to open the DB in Mysql be aware of using ; instead a : between the ip address and the port # Otherwise it should be no problem. Nestor :-) -----Original Message----- From: Ophir Prusak Sent: Sep 9, 2005 2:20 PM To: NYPHP Talk Subject: [nycphp-talk] PHP on Windows + MS SQL Server Hi All, I'm working at a windows shop where all of the data is on MS SQL server 2000 (using .asp and .aspx - .net) We're at the point where we're looking into adding PHP into the mix. Up until this point, 99% of my PHP experience is on Linux systems with MySQL, Oracle or PostgreSQL. Any pointers / tips / articles / web sites (etc) I should be looking at that will help me integrate PHP in our windows 2003 + MS SQL 2000 environment as smoothly as possible ? Thanks Ophir _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From ps at pswebcode.com Fri Sep 9 21:09:13 2005 From: ps at pswebcode.com (Peter Sawczynec) Date: Fri, 9 Sep 2005 21:09:13 -0400 Subject: [nycphp-talk] PHP on Windows + MS SQL Server In-Reply-To: Message-ID: <000001c5b5a4$42e3b350$6400a8c0@PeterStorm> PHP 4.x under IIS6 on Windows 2003 Server, if I recall, will need to have php added to the web server extensions set. Done through IIS Manager. Install PHP into a really plain directory name like C:\PHP. Don't use paths with spaces in them. Then add this PATH to the environmental variables accessed through My Computer>Properties. Then with this one step alone: php.ini, all the php.dlls, everything from the install, can stay in the single PHP install folder and you don't have to put anything out into C:\Windows, etc. PHP4.x installs under IIS 5 and IIS 6 smoothly. You need to tune your settings in php.ini. Directions that come with the PHP download are quite complete. Googling for PHP Windows install tutorial will get you plenty of results. Just step 5 or 6 pages down through the results. Lots of individuals have summarized their efforts. Php.net user comments in the Windows install area has lots of tips too. Additionally, MySQL 4.x installs smoothly on Win boxes. No fear. -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Ophir Prusak Sent: Friday, September 09, 2005 5:21 PM To: NYPHP Talk Subject: [nycphp-talk] PHP on Windows + MS SQL Server Hi All, I'm working at a windows shop where all of the data is on MS SQL server 2000 (using .asp and .aspx - .net) We're at the point where we're looking into adding PHP into the mix. Up until this point, 99% of my PHP experience is on Linux systems with MySQL, Oracle or PostgreSQL. Any pointers / tips / articles / web sites (etc) I should be looking at that will help me integrate PHP in our windows 2003 + MS SQL 2000 environment as smoothly as possible ? Thanks Ophir _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From corey at bmfenterprises.com Sat Sep 10 00:18:43 2005 From: corey at bmfenterprises.com (Corey Fogarty) Date: Sat, 10 Sep 2005 00:18:43 -0400 Subject: [nycphp-talk] Requirements for a Verisign Cert? Message-ID: I bought a Verisign Secure Site Pro cert for a client. It is not working correctly... I am running Apache 1.3.29 mod_ssl/2.8.16 OpenSSL/0.9.7c. This is a Solaris 2.6 Ultra 5 running 64mb of memory, that may be part of the problem, I am not sure. Here are just a few of the errors that are kicking back when we start the server and try to hit a page... I have replaced the domain name, I am not working on dummy.com. > [Fri Sep 9 22:30:55 2005] [error] mod_ssl: SSL handshake failed (server > www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows) > [Fri Sep 9 22:30:55 2005] [error] OpenSSL: > error:140890C7:lib(20):func(137):reason(199) > [Fri Sep 9 22:30:56 2005] [error] mod_ssl: SSL handshake failed (server > www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows) > [Fri Sep 9 22:30:56 2005] [error] OpenSSL: > error:1408A10B:lib(20):func(138):reason(267) > [Fri Sep 9 22:31:52 2005] [error] mod_ssl: SSL handshake failed (server > www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows) > [Fri Sep 9 22:31:52 2005] [error] OpenSSL: > error:140890C7:lib(20):func(137):reason(199) > [Fri Sep 9 22:31:52 2005] [error] mod_ssl: SSL handshake failed (server > www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows) > [Fri Sep 9 22:31:52 2005] [error] OpenSSL: > error:1408A10B:lib(20):func(138):reason(267) > [Fri Sep 9 22:49:04 2005] [error] mod_ssl: SSL handshake failed (server > www.dummy.com:443, client 255.255.255.47) (OpenSSL library error follows) > [Fri Sep 9 22:49:04 2005] [error] OpenSSL: > error:1409441B:lib(20):func(148):reason(1051) > [Fri Sep 9 22:55:53 2005] [error] mod_ssl: SSL handshake failed (server > www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows) > [Fri Sep 9 22:55:53 2005] [error] OpenSSL: > error:140890C7:lib(20):func(137):reason(199) > [Fri Sep 9 22:55:53 2005] [error] mod_ssl: SSL handshake failed (server > www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows) > [Fri Sep 9 22:55:53 2005] [error] OpenSSL: > error:1408A10B:lib(20):func(138):reason(267) > [Fri Sep 9 22:59:13 2005] [error] mod_ssl: SSL handshake failed (server > www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows) > [Fri Sep 9 22:59:13 2005] [error] OpenSSL: > error:140890C7:lib(20):func(137):reason(199) > [Fri Sep 9 22:59:13 2005] [error] mod_ssl: SSL handshake failed (server > www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows) > [Fri Sep 9 22:59:13 2005] [error] OpenSSL: > error:1408A10B:lib(20):func(138):reason(267) > [Fri Sep 9 23:00:22 2005] [error] mod_ssl: SSL handshake failed (server > www.dummy.com:443, client 255.255.255.47) (OpenSSL library error follows) > [Fri Sep 9 23:00:22 2005] [error] OpenSSL: > error:1409441B:lib(20):func(148):reason(1051) > [Fri Sep 9 23:06:13 2005] [error] mod_ssl: SSL handshake failed (server > www.dummy.com:443, client 255.255.255.47) (OpenSSL library error follows) > [Fri Sep 9 23:06:13 2005] [error] OpenSSL: > error:1409441B:lib(20):func(148):reason(1051) > [Fri Sep 9 23:42:34 2005] [error] mod_ssl: SSL handshake interrupted by > system [Hint: Stop button pressed in browser?!] (System error follows) > [Fri Sep 9 23:42:34 2005] [error] System: Connection reset by peer (errno: > 131) Here is a test I read out of the Professional Apache Security book by Wrox Press... > bash-2.02# openssl s_client -connect www.dummy.com:443 > CONNECTED(00000004) > depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International > Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 > VeriSign > verify error:num=20:unable to get local issuer certificate > verify return:0 > 18006:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is > not 01:rsa_pk1.c:100: > 18006:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check > failed:rsa_eay.c:580: > 18006:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad > signature:s3_clnt.c:1185: > Here is an excerpt from the ssl_engine_log from startup. > [09/Sep/2005 23:05:43 17594] [info] Server: Apache/1.3.29, Interface: > mod_ssl/2.8.16, Library: OpenSSL/0.9.7c > [09/Sep/2005 23:05:43 17594] [info] Init: 1st startup round (still not > detached) > [09/Sep/2005 23:05:43 17594] [info] Init: Initializing OpenSSL library > [09/Sep/2005 23:05:43 17594] [info] Init: Loading certificate & private key > of SSL-aware server www.dummy.com:443 > [09/Sep/2005 23:05:43 17594] [info] Init: Requesting pass phrase via builtin > terminal dialog > [09/Sep/2005 23:05:46 17594] [info] Init: Loading certificate & private key > of SSL-aware server 255.255.255.21:443 > [09/Sep/2005 23:05:46 17594] [info] Init: Loading certificate & private key > of SSL-aware server 255.255.255.46:443 > [09/Sep/2005 23:05:46 17594] [info] Init: Wiped out the queried pass phrases > from memory > [09/Sep/2005 23:05:46 17594] [info] Init: Seeding PRNG with 136 bytes of > entropy > [09/Sep/2005 23:05:46 17594] [info] Init: Generating temporary RSA private > keys (512/1024 bits) > [09/Sep/2005 23:05:49 17594] [info] Init: Configuring temporary DH parameters > (512/1024 bits) > [09/Sep/2005 23:05:49 17595] [info] Init: 2nd startup round (already > detached) > [09/Sep/2005 23:05:49 17595] [info] Init: Reinitializing OpenSSL library > [09/Sep/2005 23:05:49 17595] [info] Init: Seeding PRNG with 136 bytes of > entropy > [09/Sep/2005 23:05:49 17595] [info] Init: Configuring temporary RSA private > keys (512/1024 bits) > [09/Sep/2005 23:05:49 17595] [info] Init: Configuring temporary DH parameters > (512/1024 bits) > [09/Sep/2005 23:05:49 17595] [info] Init: Initializing (virtual) servers for > SSL > [09/Sep/2005 23:05:50 17595] [info] Init: Configuring server > www.dummy.com:443 for SSL protocol > [09/Sep/2005 23:05:50 17595] [info] Init: (www.dummy.com:443) RSA server > certificate enables Server Gated Cryptography (SGC) > [09/Sep/2005 23:05:50 17595] [info] Init: Configuring server > 255.255.255.21:443 for SSL protocol > [09/Sep/2005 23:05:50 17595] [warn] Init: (255.255.255.21:443) RSA server > certificate CommonName (CN) `www.dummy2.com' does NOT match server name!? > [09/Sep/2005 23:05:50 17595] [info] Init: Configuring server > 255.255.255.46:443 for SSL protocol > [09/Sep/2005 23:05:50 17595] [warn] Init: (255.255.255.46:443) RSA server > certificate CommonName (CN) `www.dummy3.com' does NOT match server name!? > [09/Sep/2005 23:06:03 17596] [info] Connection to child 0 established (server > 255.255.255.46:443, client 255.255.255.46) > [09/Sep/2005 23:06:03 17596] [info] Seeding PRNG with 1160 bytes of entropy > [09/Sep/2005 23:06:03 17596] [error] SSL handshake failed (server > 255.255.255.46:443, client 255.255.255.46) (OpenSSL library error follows) > [09/Sep/2005 23:06:03 17596] [error] OpenSSL: > error:1409441B:lib(20):func(148):reason(1051) > [09/Sep/2005 23:06:13 17597] [info] Connection to child 1 established (server > www.dummy.com:443, client 255.255.255.47) > [09/Sep/2005 23:06:13 17597] [info] Seeding PRNG with 1160 bytes of entropy > [09/Sep/2005 23:06:13 17597] [error] SSL handshake failed (server > www.dummy.com:443, client 255.255.255.47) (OpenSSL library error follows) > [09/Sep/2005 23:06:13 17597] [error] OpenSSL: > error:1409441B:lib(20):func(148):reason(1051) > [09/Sep/2005 23:41:49 17598] [info] Connection to child 2 established (server > 255.255.255.21:443, client 255.255.255.112) > [09/Sep/2005 23:41:49 17598] [info] Seeding PRNG with 1160 bytes of entropy > [09/Sep/2005 23:41:50 17598] [info] Initial (No.1) HTTPS request received for > child 2 (server 255.255.255.21:443) > [09/Sep/2005 23:41:51 17599] [info] Connection to child 3 established (server > 255.255.255.21:443, client 255.255.255.112) > [09/Sep/2005 23:41:51 17599] [info] Seeding PRNG with 1160 bytes of entropy > [09/Sep/2005 23:41:52 17600] [info] Connection to child 4 established (server > 255.255.255.21:443, client 255.255.255.112) > [09/Sep/2005 23:41:52 17600] [info] Seeding PRNG with 1160 bytes of entropy > [09/Sep/2005 23:41:53 17600] [info] Initial (No.1) HTTPS request received for > child 4 (server 255.255.255.21:443) > [09/Sep/2005 23:41:53 17599] [info] Initial (No.1) HTTPS request received for > child 3 (server 255.255.255.21:443) > [09/Sep/2005 23:42:08 17598] [info] Connection to child 2 closed with > standard shutdown (server 255.255.255.21:443, client 255.255.255.112) > [09/Sep/2005 23:42:09 17600] [info] Connection to child 4 closed with > standard shutdown (server 255.255.255.21:443, client 255.255.255.112) > [09/Sep/2005 23:42:10 17599] [info] Connection to child 3 closed with > standard shutdown (server 255.255.255.21:443, client 255.255.255.112) > [09/Sep/2005 23:42:11 17596] [info] Connection to child 0 established (server > 255.255.255.21:443, client 255.255.255.112) > [09/Sep/2005 23:42:11 17596] [info] Seeding PRNG with 1160 bytes of entropy > [09/Sep/2005 23:42:20 17596] [info] Initial (No.1) HTTPS request received for > child 0 (server 255.255.255.21:443) > [09/Sep/2005 23:42:21 17605] [info] Connection to child 5 established (server > 255.255.255.21:443, client 255.255.255.112) > [09/Sep/2005 23:42:21 17605] [info] Seeding PRNG with 1160 bytes of entropy > [09/Sep/2005 23:42:21 17596] [info] Connection to child 0 closed with unclean > shutdown (server 255.255.255.21:443, client 255.255.255.112) > [09/Sep/2005 23:42:21 17597] [info] Connection to child 1 established (server > 255.255.255.21:443, client 255.255.255.112) > [09/Sep/2005 23:42:21 17597] [info] Seeding PRNG with 1160 bytes of entropy > [09/Sep/2005 23:42:22 17605] [info] Initial (No.1) HTTPS request received for > child 5 (server 255.255.255.21:443) > [09/Sep/2005 23:42:22 17605] [info] Connection to child 5 closed with unclean > shutdown (server 255.255.255.21:443, client 255.255.255.112) > [09/Sep/2005 23:42:22 17597] [info] Initial (No.1) HTTPS request received for > child 1 (server 255.255.255.21:443) > [09/Sep/2005 23:42:22 17597] [info] Connection to child 1 closed with unclean > shutdown (server 255.255.255.21:443, client 255.255.255.112) > [09/Sep/2005 23:42:31 17901] [info] Connection to child 6 established (server > www.dummy.com:443, client 255.255.255.112) > [09/Sep/2005 23:42:31 17901] [info] Seeding PRNG with 1160 bytes of entropy > [09/Sep/2005 23:42:34 17901] [error] SSL handshake interrupted by system > [Hint: Stop button pressed in browser?!] (System error follows) > [09/Sep/2005 23:42:34 17901] [error] System: Connection reset by peer (errno: > 131) > [09/Sep/2005 23:54:22 17902] [info] Connection to child 7 established (server > www.dummy.com:443, client 255.255.255.47) > [09/Sep/2005 23:54:22 17902] [info] Seeding PRNG with 1160 bytes of entropy > [09/Sep/2005 23:54:23 17902] [error] SSL handshake failed (server > www.dummy.com:443, client 255.255.255.47) (OpenSSL library error follows) > [09/Sep/2005 23:54:23 17902] [error] OpenSSL: > error:1409441B:lib(20):func(148):reason(1051) > The funny part is that I have actually had some luck signing my own certs. I still get errors but at least the page loads... With the Verisign cert, the page doesn?t even load. Hopefully someone else has found their way through this maze and can shoot up a flare for me! Thanks all! Corey P.S. I have tried tech support at Verisign with very little luck. They are very clear on the fact that they don?t support open source. I am guessing they have their fingers in their ears a bit there... -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfontaine at spidmail.net Sat Sep 10 09:35:55 2005 From: cfontaine at spidmail.net (Cedric Fontaine) Date: Sat, 10 Sep 2005 09:35:55 -0400 Subject: [nycphp-talk] PDF mailing labels in PHP 5 In-Reply-To: References: Message-ID: <4322E13B.2020806@spidmail.net> David Mintz wrote: > Or: does anyone know of another good solution for making labels? I > suppose possible solutions are: install PHP 4 to run in cgi mode and use > this code as is, or fix it to run under PHP 5. I've been using FPDF with success http://www.fpdf.org/ and this script for labels http://www.fpdf.org/fr/script/script29.php Cedric From danielc at analysisandsolutions.com Sat Sep 10 10:42:08 2005 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Sat, 10 Sep 2005 10:42:08 -0400 Subject: [nycphp-talk] PHP on Windows + MS SQL Server In-Reply-To: References: Message-ID: <20050910144208.GB21130@panix.com> Hey Ophir: On Fri, Sep 09, 2005 at 05:20:33PM -0400, Ophir Prusak wrote: > > I'm working at a windows shop where all of the data is on MS SQL server 2000 > (using .asp and .aspx - .net) > > We're at the point where we're looking into adding PHP into the mix. PEAR DB works just dandy with MSSQL. Even if you don't want to use the package, you may gain some insights from the source code. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From leegold at fastmail.fm Sat Sep 10 12:58:53 2005 From: leegold at fastmail.fm (leegold) Date: Sat, 10 Sep 2005 12:58:53 -0400 Subject: [nycphp-talk] XAMPP windows install question Message-ID: <1126371533.19948.242611975@webmail.messagingengine.com> # After installing MySQL as a service, remember to copy \xampp\mysql\my_example.cnf to C:\my.cnf I read this line above on the nyphp XAMPP site. Not sure cause I have no file named my.cnf on C:\ and MYSQL seems to be running OK - PHPMyAdmin works OK. Can/Should I ignore this? Thanks PS. What list on nyphp should I ask PHP programming questions? Although there are many newsgroups for this so I'm OK... From lists at zaunere.com Sat Sep 10 13:57:39 2005 From: lists at zaunere.com (Hans Zaunere) Date: Sat, 10 Sep 2005 13:57:39 -0400 Subject: [nycphp-talk] XAMPP windows install question In-Reply-To: <1126371533.19948.242611975@webmail.messagingengine.com> Message-ID: <0MKp2t-1EE9bg16UW-00021f@mrelay.perfora.net> leegold wrote on Saturday, September 10, 2005 12:59 PM: > # After installing MySQL as a service, remember to copy > \xampp\mysql\my_example.cnf to C:\my.cnf > > I read this line above on the nyphp XAMPP site. Not sure cause I have no > file named my.cnf on C:\ and MYSQL seems to be running OK - PHPMyAdmin > works OK. Can/Should I ignore this? If you're just running XAMPP for development and test drive purposes on your laptop, then you can ignore this for now. MySQL will use conservative defaults if it doesn't find a my.cnf file. Once your ready to start playing around with the MySQL configuration, you can put the my.cnf file in a number of different places. I always put mine in the data directory of MySQL, for instance, c:\xampp\mysql\data > PS. What list on nyphp should I ask PHP programming questions? Although > there are many newsgroups for this so I'm OK... This is the list, NYPHP-Talk. You can of course view other lists at http://www.nyphp.org/lists/ --- Hans Zaunere / President / New York PHP www.nyphp.org / www.nyphp.com From leegold at fastmail.fm Sat Sep 10 19:17:47 2005 From: leegold at fastmail.fm (leegold) Date: Sat, 10 Sep 2005 19:17:47 -0400 Subject: [nycphp-talk] PEAR help Message-ID: <1126394267.9586.242623311@webmail.messagingengine.com> XAMPP works great. I now want to get PEAR working. Using Win2K... How do I install PEAR? - of course I see the PEAR folder in xampp but isn't there a bit more I have to do? Do I have to edit my PATH env. var? Do I have to run a .bat to activate PEAR? PEAR will work from my DOS CMD line is this true? So I need to get it working and the test will be I'll download some PEAR packages... Thanks, Lee G. From smanes at magpie.com Sun Sep 11 08:59:07 2005 From: smanes at magpie.com (Steve Manes) Date: Sun, 11 Sep 2005 08:59:07 -0400 Subject: [nycphp-talk] PHPWiki Message-ID: <43242A1B.4050102@magpie.com> Pardon me if this has been discussed before. I assume it has been but I was probably outside having a smoke. What's the general opinion about PHPWiki here? I'm tasked with setting up a Wiki for a large open source PHP dev project for Childrens Health Fund. I've set up and used TikiWiki before and it worked fine. It's just a bit of overkill for our needs and it would sorta politically undercut my argument for PHP as the base language for this project if I installed a perl wiki. I downloaded v1.3 last night and got it running okay albeit with tons of PHP warnings, mostly about using invalid types in referenced arg variables. I googled relentlessly on this problem only to find myself directed to other PHPWiki sites, most of which suffered from the same affliction. I know how to turn off those warnings and know (pretty much) what's causing them. But I'd rather not mask the symptoms. Also, PHP warnings indicate potentially problematic code. Is v1.3 not ready for prime time or does it require PHP5? The installation docs are somewhat byzantine. Is there a better PHP alternative to PHPWiki? From rolan at omnistep.com Sun Sep 11 09:34:34 2005 From: rolan at omnistep.com (Rolan Yang) Date: Sun, 11 Sep 2005 09:34:34 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? Message-ID: <4324326A.8060307@omnistep.com> A few of my web based feedback (contact.php) scripts have been getting hammered with some sort of spam or bot net attack over the past week. The scripts are running on different servers at different web hosts, but the garbage coming in has been the same. The "from" field is filled in with random lower case letters like "kljaogr at domain.com" where "domain" is the website address. The body field contains the same email address. Sometimes "Content-Type: multipart/mixed; boundary=\"===============083392.." is appended to the email address in both the "from:" field and also the body. The submissions are coming from different ip's all over the world. Has anyone else been experiencing anything similar? ~Rolan From kenrbnsn at rbnsn.com Sun Sep 11 09:50:20 2005 From: kenrbnsn at rbnsn.com (Ken Robinson) Date: Sun, 11 Sep 2005 09:50:20 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <4324326A.8060307@omnistep.com> References: <4324326A.8060307@omnistep.com> Message-ID: <6.2.5.4.2.20050911094253.02fb43b8@rbnsn.com> At 09:34 AM 9/11/2005, Rolan Yang wrote: >A few of my web based feedback (contact.php) scripts have been getting >hammered with some sort of spam or bot net attack over the past week. >The scripts are running on different servers at different web hosts, but >the garbage coming in has been the same. The "from" field is filled in >with random lower case letters like "kljaogr at domain.com" where "domain" >is the website address. The body field contains the same email address. > >Sometimes "Content-Type: multipart/mixed; >boundary=\"===============083392.." >is appended to the email address in both the "from:" field and also the >body. > >The submissions are coming from different ip's all over the world. >Has anyone else been experiencing anything similar? Yes. I use the following function function checkit($name) { return(str_replace(array("\r", "\n", "%OA", "%oa", "%OD", "%od", "Content-Type:","BCC:","bcc:"), "", $name)); } to render their attempts harmless. I use the above function with: $from = '"' . stripslashes(checkit($_POST['contactname'])) . '" <' . stripslashes(checkit($_POST['Email'])) . '>'; $to = "kenrbnsn at kis-web-design.com"; $headers = "From: " . $from . "\r\n"; $headers .= "Reply-To: " . stripslashes(checkit($_POST['Email'])) . "\r\n\r\n"; @mail($to, "Subject goes here", $mail_body, $headers); They are still trying, but they aren't succeeding to do anything malicious. One of the attempts even but their code in my message textarea, which wouldn't have done anything anyway since it was in the body of the mail message. Ken From tom at supertom.com Sun Sep 11 11:25:30 2005 From: tom at supertom.com (Tom) Date: Sun, 11 Sep 2005 11:25:30 -0400 Subject: [nycphp-talk] PHPWiki In-Reply-To: <43242A1B.4050102@magpie.com> Message-ID: <0IMN0014PR9LAX00@mta6.srv.hcvlny.cv.net> Hi Steve, I've tried PHPWiki in the past, and although useable, I've had great success with MediaWiki, which runs WikiPedia and the like. Very easy to install, and very mature. I understand there are a couple of forks of this, you may want to look into those as well. Tom http://www.liphp.org -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Steve Manes Sent: Sunday, September 11, 2005 8:59 AM To: NYPHP Talk Subject: [nycphp-talk] PHPWiki Pardon me if this has been discussed before. I assume it has been but I was probably outside having a smoke. What's the general opinion about PHPWiki here? I'm tasked with setting up a Wiki for a large open source PHP dev project for Childrens Health Fund. I've set up and used TikiWiki before and it worked fine. It's just a bit of overkill for our needs and it would sorta politically undercut my argument for PHP as the base language for this project if I installed a perl wiki. I downloaded v1.3 last night and got it running okay albeit with tons of PHP warnings, mostly about using invalid types in referenced arg variables. I googled relentlessly on this problem only to find myself directed to other PHPWiki sites, most of which suffered from the same affliction. I know how to turn off those warnings and know (pretty much) what's causing them. But I'd rather not mask the symptoms. Also, PHP warnings indicate potentially problematic code. Is v1.3 not ready for prime time or does it require PHP5? The installation docs are somewhat byzantine. Is there a better PHP alternative to PHPWiki? _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From mail at billyreisinger.com Sun Sep 11 11:09:14 2005 From: mail at billyreisinger.com (Billy Reisinger) Date: Sun, 11 Sep 2005 11:09:14 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <6.2.5.4.2.20050911094253.02fb43b8@rbnsn.com> References: <4324326A.8060307@omnistep.com> <6.2.5.4.2.20050911094253.02fb43b8@rbnsn.com> Message-ID: <3590C917-BA65-4696-AA35-73CD36CF5892@billyreisinger.com> Rolan: Follow Ken's advice immediately. To me, it looks like they DID succeed in hacking your mail script. I got the same email from one of my scripts, and I found out the next day that my hosting company had shut down my website - AOL called them to complain of tons of spam coming from my domain, and threatened to blacklist them. The hack is accomplished by injecting code into one of your fields; you have to check for line breaks and other suspicious stuff (like Bcc: headers) to make sure that someone isn't trying to inject additional recipients into the script. Here's a great page, detailing how the hack is accomplished: http://securephp.damonkohler.com/index.php/Email_Injection Hope this helps! Take care, Billy Reisinger On Sep 11, 2005, at 9:50 AM, Ken Robinson wrote: > At 09:34 AM 9/11/2005, Rolan Yang wrote: > >> A few of my web based feedback (contact.php) scripts have been >> getting >> hammered with some sort of spam or bot net attack over the past >> week. >> The scripts are running on different servers at different web >> hosts, but >> the garbage coming in has been the same. The "from" field is >> filled in >> with random lower case letters like "kljaogr at domain.com" where >> "domain" >> is the website address. The body field contains the same email >> address. >> >> Sometimes "Content-Type: multipart/mixed; >> boundary=\"===============083392.." >> is appended to the email address in both the "from:" field and >> also the >> body. >> >> The submissions are coming from different ip's all over the world. >> Has anyone else been experiencing anything similar? >> > > Yes. I use the following function > > function checkit($name) { > return(str_replace(array("\r", "\n", "%OA", "%oa", "%OD", "%od", > "Content-Type:","BCC:","bcc:"), "", $name)); > } > > to render their attempts harmless. > > I use the above function with: > > $from = '"' . stripslashes(checkit($_POST['contactname'])) . '" <' . > stripslashes(checkit($_POST['Email'])) . '>'; > $to = "kenrbnsn at kis-web-design.com"; > $headers = "From: " . $from . "\r\n"; > $headers .= "Reply-To: " . stripslashes(checkit($_POST['Email'])) . > "\r\n\r\n"; > @mail($to, "Subject goes here", $mail_body, $headers); > > They are still trying, but they aren't succeeding to do anything > malicious. One of the attempts even but their code in my message > textarea, which wouldn't have done anything anyway since it was in > the body of the mail message. > > Ken > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > > > From rajlist at rajshekhar.net Sun Sep 11 11:16:11 2005 From: rajlist at rajshekhar.net (Raj Shekhar) Date: Sun, 11 Sep 2005 20:46:11 +0530 Subject: [nycphp-talk] PHPWiki In-Reply-To: <43242A1B.4050102@magpie.com> References: <43242A1B.4050102@magpie.com> Message-ID: <43244A3B.9020707@rajshekhar.net> in infinite wisdom Steve Manes spoke thus On 09/11/2005 06:29 PM: > Is v1.3 not ready for prime time or does it require PHP5? The > installation docs are somewhat byzantine. Is there a better PHP > alternative to PHPWiki? I have had good success in running PmWiki. http://rajshekhar.net/content/view/24/26/ . I also liked MediaWiki - though it requires a bit more resources. If you have a caching engine, then you will get a better performance. Both of these are in PHP -- Raj Shekhar Y!IM : lunatech3007 blog : http://rajshekhar.net/blog home : http://rajshekhar.net Disclaimer : http://rajshekhar.net/disclaimer From tom at supertom.com Sun Sep 11 11:51:20 2005 From: tom at supertom.com (Tom) Date: Sun, 11 Sep 2005 11:51:20 -0400 Subject: [nycphp-talk] PEAR help In-Reply-To: <1126394267.9586.242623311@webmail.messagingengine.com> Message-ID: <0IMN001ERSGPPC00@mta6.srv.hcvlny.cv.net> Hi Lee, I haven't used XAMPP in a while, but from what I remember: In the php directory, there is the go-pear.bat file, run that and it will get you started. Yes, you can use pear from the DOD command-line, and it will install packages for you. I don't think you'll have to change your ENV any more than the provided scripts already do, but you may need to change your include directory in your php.ini, but I doubt it. Tom http://www.liphp.org -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of leegold Sent: Saturday, September 10, 2005 7:18 PM To: talk at lists.nyphp.org Subject: [nycphp-talk] PEAR help XAMPP works great. I now want to get PEAR working. Using Win2K... How do I install PEAR? - of course I see the PEAR folder in xampp but isn't there a bit more I have to do? Do I have to edit my PATH env. var? Do I have to run a .bat to activate PEAR? PEAR will work from my DOS CMD line is this true? So I need to get it working and the test will be I'll download some PEAR packages... Thanks, Lee G. _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From lists at zaunere.com Sun Sep 11 13:24:41 2005 From: lists at zaunere.com (Hans Zaunere) Date: Sun, 11 Sep 2005 13:24:41 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <4324326A.8060307@omnistep.com> Message-ID: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> Rolan Yang wrote on Sunday, September 11, 2005 9:35 AM: > A few of my web based feedback (contact.php) scripts have been getting > hammered with some sort of spam or bot net attack over the past week. > The scripts are running on different servers at different web hosts, but > the garbage coming in has been the same. The "from" field is filled in > with random lower case letters like "kljaogr at domain.com" where "domain" > is the website address. The body field contains the same email address. > > Sometimes "Content-Type: multipart/mixed; > boundary=\"===============083392.." > is appended to the email address in both the "from:" field and also the > body. > > The submissions are coming from different ip's all over the world. > Has anyone else been experiencing anything similar? Yeah - I've been seeing it over the last couple of weeks. It's a particularly ingenuous method of taking advantage of primarily the MIME standard. I typically look for the string 'Content-Type:' in any submitted fields, and if it's found, the script records the IP and notifies me. Since it's my understanding that the exploitation can't happen without the use of Content-Type: (the MIME header that dictates part of a message's structure), something like this has worked well: foreach( $form_fields as $value ) { if( stripos($value,'Content-Type:') !== FALSE ) { mail('admin at my.com','Spam Attempt',$_SERVER['REMOTE_ADDR']); exit("{$_SERVER['REMOTE_ADDR']} Has been Recorded"); } } Of course complete input filtering might be the better solution to this. This is a particularly clever way of exploiting multiple technologies. I would argue that there is nothing broken in PHP or MIME. Rather, it's the combination of seemingly innocuous behaviors that create an exploitable situation. --- Hans Zaunere / President / New York PHP www.nyphp.org / www.nyphp.com From dmintz at davidmintz.org Sun Sep 11 15:07:57 2005 From: dmintz at davidmintz.org (David Mintz) Date: Sun, 11 Sep 2005 15:07:57 -0400 (EDT) Subject: [nycphp-talk] PDF mailing labels in PHP 5 (will have to wait...) In-Reply-To: <4321FDA9.7030009@phpwerx.net> References: <4321FDA9.7030009@phpwerx.net> Message-ID: Thanks to all for the feedback. I think I will try Dan Cech's suggestion. Note to Tim G., yes the fonts are in the right location. More urgently, I have a couple of contact.php type scripts of my own to harden up because I am getting hit by this latest nuisance -- lucky for me there is this list where I didn't even have to ask to find some answers. So thanks to people on that thread, too. Damn that vicious little bot. On Fri, 9 Sep 2005, Dan Cech wrote: > I have used the pdf class extensively under php4, but not php5. > > I'd definitely spend a little time trying to figure out exactly what is > going wrong in php5, as it seems this wonderful class is receiving very > little of the love it deserves at present. > > To get some idea of why the output may be munged, you could try using > this debugging code: > > // debugging > $pdf->ezText("\n\n".$pdf->messages,10,array('justification'=>'left')); > $pdfcode = $pdf->output(1); > $pdfcode = str_replace("\n","
\n",htmlspecialchars($pdfcode)); > echo ''; > echo trim($pdfcode); > echo ''; > exit(); --- David Mintz http://davidmintz.org/ From rolan at omnistep.com Sun Sep 11 15:57:35 2005 From: rolan at omnistep.com (Rolan Yang) Date: Sun, 11 Sep 2005 15:57:35 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> Message-ID: <43248C2F.8030006@omnistep.com> Thanks everyone for your help. I checked my web logs and it does indeed appear that the script was exploitable. Lucky for me, the only unauthorized email was sent to "jrubin3546 at aol.com" That email appears to be a probe used by the spambot to verify exploitable websites. I would imagine the hacker wrote some sort of script that queried google for "contactphp" or "feedback.php", harvested the results into a list which was then sent out to a botnet to probe for vulnerable scripts and collect the results via a list of free aol accounts. Do a search for the email above on google and you will find thousands of results. Many of them are the results in blog/feedback pages in which attempts have been made to hack them. There should be a large warning put out about this (perhaps I missed the bulletin?). I have not seen any spam being sent out from my servers, but I'm sure in time the hacker/spammer will do so. ~Rolan From rolan at omnistep.com Sun Sep 11 23:51:46 2005 From: rolan at omnistep.com (Rolan Yang) Date: Sun, 11 Sep 2005 23:51:46 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <43248C2F.8030006@omnistep.com> References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> <43248C2F.8030006@omnistep.com> Message-ID: <4324FB52.5010806@omnistep.com> One more hint to all: If you are hosting php scripts for other people, or simply have too many to comb through on your own server(s), grep your mail server log for "jrubin3546 at aol.com". If you see any results, cross reference that time with your web logs to locate the exploitable script. ~Rolan From jsiegel1 at optonline.net Mon Sep 12 06:44:48 2005 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Mon, 12 Sep 2005 06:44:48 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <4324FB52.5010806@omnistep.com> Message-ID: <0IMP00BBC9UP4200@mta6.srv.hcvlny.cv.net> An FYI. On all of my website login pages, I have my script email me all of the global variables (i.e., $GLOBALS) when someone fails to log in. I've received emails from my error handler similar to those like the "jrubin" one. The point is that whatever bot is running, it seems to be trying to inject its dastardly code into any PHP form it finds. Jeff -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Rolan Yang Sent: Sunday, September 11, 2005 10:52 PM To: NYPHP Talk Subject: Re: [nycphp-talk] worm/virus's hammering feedback scripts? One more hint to all: If you are hosting php scripts for other people, or simply have too many to comb through on your own server(s), grep your mail server log for "jrubin3546 at aol.com". If you see any results, cross reference that time with your web logs to locate the exploitable script. ~Rolan _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From chsnyder at gmail.com Mon Sep 12 08:04:56 2005 From: chsnyder at gmail.com (csnyder) Date: Mon, 12 Sep 2005 08:04:56 -0400 Subject: [nycphp-talk] PHPWiki In-Reply-To: <43242A1B.4050102@magpie.com> References: <43242A1B.4050102@magpie.com> Message-ID: On 9/11/05, Steve Manes wrote: > Is v1.3 not ready for prime time or does it require PHP5? The > installation docs are somewhat byzantine. Is there a better PHP > alternative to PHPWiki? I'll second Tom's suggestion of MediaWiki. PHPWiki worked fine for me until I tried to upgrade to PHP5, which was extremely unpleasant. -- Chris Snyder http://chxo.com/ From lists at zaunere.com Mon Sep 12 08:38:17 2005 From: lists at zaunere.com (Hans Zaunere) Date: Mon, 12 Sep 2005 08:38:17 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <4324FB52.5010806@omnistep.com> Message-ID: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> Rolan Yang scribbled on Sunday, September 11, 2005 11:52 PM: > One more hint to all: > > If you are hosting php scripts for other people, or simply have too > many to comb through on your own server(s), grep your mail server log > for "jrubin3546 at aol.com". If you see any results, cross reference > that time with your web logs to locate the exploitable script. Another address I've seen is mhkoch321 at aol.com Rolan, and I think you're right about this problem not getting enough exposure. If you can write-up a couple of paragraphs about it, I'll post it on nyphp.org's frontpage. --- Hans Zaunere / President / New York PHP www.nyphp.org / www.nyphp.com From krook at us.ibm.com Mon Sep 12 09:32:02 2005 From: krook at us.ibm.com (Daniel Krook) Date: Mon, 12 Sep 2005 09:32:02 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> Message-ID: > It's a particularly ingenuous method of taking advantage > of primarily the MIME standard. I typically look for the > string 'Content-Type:' in any submitted fields, and if > it's found, the script records the IP and notifies me. This is important, I found injections in ALL my fields, not just the obvious textarea fields. Hidden and regular text boxes have been used as well, since this attack is automated and doesn't function as a normal browser would. > Since it's my understanding that the exploitation can't > happen without the use of Content-Type: (the MIME header > that dictates part of a message's structure), something > like this has worked well: > > foreach( $form_fields as $value ) > { > if( stripos($value,'Content-Type:') !== FALSE ) > { > mail('admin at my.com','Spam Attempt',$_SERVER['REMOTE_ADDR']); > exit("{$_SERVER['REMOTE_ADDR']} Has been Recorded"); > } > } > A PHP4 version of the above looks something like this, and seems to work: if (strpos(strtolower($someField), 'content-type:') !== false) { mail('admin at example.net', 'Spam attempt from example.net', $_SERVER['REMOTE_ADDR']); } else { mail('customerservice at example.net', 'Customer submission from example.net', $msg, $headers); } > Of course complete input filtering might be the better > solution to this. Agreed. Daniel Krook, Advisory IT Specialist Application Development, Production Services - Tools, ibm.com Personal: http://info.krook.org/ BluePages: http://bluepages.redirect.webahead.ibm.com/ BlogPages: http://blogpages.redirect.webahead.ibm.com/ From mail at billyreisinger.com Mon Sep 12 09:55:59 2005 From: mail at billyreisinger.com (Billy Reisinger) Date: Mon, 12 Sep 2005 09:55:59 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> Message-ID: <432588EF.6040409@billyreisinger.com> I think it is important to note that the attacker(s) are probably using many email addresses, and that everyone should start checking their input fields to make sure that MIME headers aren't being injected into their mail scripts. Cheers, Billy Reisinger Hans Zaunere wrote: >Rolan Yang scribbled on Sunday, September 11, 2005 11:52 PM: > > >>One more hint to all: >> >> If you are hosting php scripts for other people, or simply have too >>many to comb through on your own server(s), grep your mail server log >>for "jrubin3546 at aol.com". If you see any results, cross reference >>that time with your web logs to locate the exploitable script. >> >> > >Another address I've seen is mhkoch321 at aol.com > >Rolan, and I think you're right about this problem not getting enough >exposure. If you can write-up a couple of paragraphs about it, I'll post it >on nyphp.org's frontpage. > > >--- >Hans Zaunere / President / New York PHP > www.nyphp.org / www.nyphp.com > > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > > > > From shiflett at php.net Mon Sep 12 10:05:05 2005 From: shiflett at php.net (Chris Shiflett) Date: Mon, 12 Sep 2005 10:05:05 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: References: Message-ID: <43258B11.6040707@php.net> Daniel Krook wrote: > This is important, I found injections in ALL my fields, not just the > obvious textarea fields. Hidden and regular text boxes have been used > as well, since this attack is automated and doesn't function as a > normal browser would. Having just written a penetration testing tool, I can say that an application's HTML is the perfect blueprint for an attack. It's pretty trivial to collect a list of URLs within an application. With that list, you simply search for all links and forms that point to each URL (not one pass per URL, but you get the idea), and you collect a list of variable names that are expected by each script. It doesn't matter what the interface to the user is. With such a list, you can pretty much do whatever you please - you can even try injecting content into each variable name as a variety of types - GET data, POST data, cookies, etc. So, as developers, we must necessarily give away a lot of information about our applications. This makes our job even harder. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From chsnyder at gmail.com Mon Sep 12 11:06:47 2005 From: chsnyder at gmail.com (csnyder) Date: Mon, 12 Sep 2005 11:06:47 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <43258B11.6040707@php.net> References: <43258B11.6040707@php.net> Message-ID: On 9/12/05, Chris Shiflett wrote: > With such a list, you can pretty much do whatever you please - you can > even try injecting content into each variable name as a variety of types > - GET data, POST data, cookies, etc. > > So, as developers, we must necessarily give away a lot of information > about our applications. This makes our job even harder. The web is the most insecure environment ever invented for applications. Your entire *public* interface is transparently exposed to any and all attackers, both human and scripted, 24x7 worldwide. Spam bots like the one described in this thread are just the beginning, I think. Sorry for the fear-mongering, what can PHP do to protect us? A simpler mail() function would be a great start. Something like: text_mail( $to, $from, $subject, $body ) - strip MIME injection from all inputs - strip /r and /n from all but the body - strip_tags( $body ) This would address (almost?) everything that contact.php and feedback.php builders need from an email function. Or if that's too limited, use an array for $headers and build them from each element in the array, stripped of \r and \n. -- Chris Snyder http://chxo.com/ From rolan at omnistep.com Mon Sep 12 11:16:18 2005 From: rolan at omnistep.com (Rolan Yang) Date: Mon, 12 Sep 2005 11:16:18 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> Message-ID: <43259BC2.4050604@omnistep.com> Hans Zaunere wrote: >Another address I've seen is mhkoch321 at aol.com > >Rolan, and I think you're right about this problem not getting enough >exposure. If you can write-up a couple of paragraphs about it, I'll post it >on nyphp.org's frontpage. > Ok, here's the bulletin. If anyone would like to polish it up, feel free to do so. I'm not good at writing this stuff. Problem: Bot-net scanning underway to detect and log php scripts which are vulnerable to a email header injection exploit. What is vulnerable: PHP scripts which send email based on cgi input data should be inspected for the vulnerability. Discussion: A large scale distributed network of machines are currently being employed to scan php based websites in search of scripts which are vulnerable to a injection-style security exploit. The exploit permits an attacker to send emails to arbitrary destinations. A common target is the web based feedback form which submits an email to a designated address, but could be any form which results in an email being sent. The method used to exploit the vulnerability is by injection of email headers into cgi form fields which are passed to the mail server. The mail server then parses the headers and sends the email to the address(es) designated in the maliciously injected headers. Exploit: The bot-net script currently probes vulnerable scripts by injecting malicious headers into cgi form fields. The headers forward an email response to one of several target email address to which the hacker has access. We assume the attacker is collecting a list of vulnerable sites which may be used later as an open relay for spam or large scale deployment of viruses/worms. For more information about the attack, please refer to: http://securephp.damonkohler.com/index.php/Email_Injection (thank's to Billy Reisinger for the link) A google search for the target emails reveals that scans have been taking place since at least July 8, 2005 Detection and Solution: The current bot-net probe is known to send its reply to one of several known email addresses on the following list. Grep through your mail server logs for the list of emails. If any are found, cross reference the time of the mailing to times in your web server logs to help determine the exploitable script. grep -f exploitemails.txt /var/log/maillog (or wherever your mail log is located) Vulnerable scripts should be modified to properly filter input fields. Ken Robinson has posted a php example at: http://lists.nyphp.org/pipermail/talk/2005-September/016124.html To follow the mailing list thread on this topic, please visit: http://lists.nyphp.org/pipermail/talk/2005-September/thread.html#16123 (we should build a list of these emails and publish them along with this notification) Current list: jrubin3546 at aol.com mkoch321 at aol.com wnacyiplay at aol.com kshmng at aol.com Homeiragtime at aol.com bergkoch8 at aol.com ~Rolan Yang From michael.southwell at nyphp.org Mon Sep 12 12:15:21 2005 From: michael.southwell at nyphp.org (Michael Southwell) Date: Mon, 12 Sep 2005 12:15:21 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? POLISHED VERSION In-Reply-To: <43259BC2.4050604@omnistep.com> References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> Message-ID: <6.2.3.4.2.20050912120926.0244d060@mail.optonline.net> I polished this up a bit. IMPORTANT: Ken's original function did not work in my testing, because (1) the \ in \r and \n needed to be escaped, and (2) he had the letter O instead of the numeral 0 in the hex numbers. Somebody smarter than I am, please check carefully the modified version included below. =========================== Problem: Bot-net scanning to locate php scripts which are vulnerable to a email header injection exploit. All PHP scripts which send email based on input data are vulnerable. Discussion: A large scale distributed network of machines is currently being employed to scan php-based websites in search of scripts which are vulnerable to an injection-style security exploit. The exploit permits an attacker to send emails to arbitrary destinations. A common target is the kind of web-based feedback form which submits an email to a designated address, but any form which results in an email being sent could be vulnerable. The bot-net script injects malicious email headers into the form's fields, which are then passed to the mail server. The mail server parses those headers and then sends email to the address designated in the maliciously injected headers. We assume the attacker is collecting a list of vulnerable sites which may be used later as an open relay for spam or large scale deployment of viruses/worms. For more information about the attack, see http://securephp.damonkohler.com/index.php/Email_Injection (Thanks to Billy Reisinger for this link.) A Google search for the injected email addresses reveals that scans have been taking place since at least July 8, 2005 Detection and Solution: The current bot-net probe is known to send its reply to one of several known email addresses on the following list (current as of this writing: jrubin3546 at aol.com mkoch321 at aol.com wnacyiplay at aol.com kshmng at aol.com Homeiragtime at aol.com bergkoch8 at aol.com Grep through your mail server logs for the list of emails, using a command something like this: grep -f exploitaddresses.lst /var/log/maillog (or wherever your mail log is located) If any are found, cross reference the time of the mailing to times in your web server logs to help determine the exploitable script. Modify any such scripts to properly filter input fields, with a function something like this: function safe( $name ) { return( str_replace( array( "\\r", "\\n", "%0A", "%0a", "%0D", "%0d", "Content-Type:", "BCC:", "bcc:" ), "", $name ) ); } (Thanks to Ken Robinson for the original version of this function.) To follow the mailing list thread on this topic, see http://lists.nyphp.org/pipermail/talk/2005-September/thread.html#16123 Michael Southwell, Vice President for Education New York PHP http://www.nyphp.com/training - In-depth PHP Training Courses From danielc at analysisandsolutions.com Mon Sep 12 12:20:18 2005 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Mon, 12 Sep 2005 12:20:18 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <43259BC2.4050604@omnistep.com> References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> Message-ID: <20050912162018.GA22938@panix.com> Hey Folks: On Mon, Sep 12, 2005 at 11:16:18AM -0400, Rolan Yang wrote: > Detection and Solution: > The current bot-net probe is known to send its reply to one of several > known email addresses on the following list. A list of addresses is the wrong approach. The email addresses are variable and easy to change. More importantly, the content is the issue, not the email address. > Vulnerable scripts should be modified to properly filter input fields. > Ken Robinson has posted a > php example at: > http://lists.nyphp.org/pipermail/talk/2005-September/016124.html That solution is less than perfect. First, it's case sensitive, so misses things like "BcC", meaning str_ireplace() would be better. Second, it catches things that don't need to be. The mere existence of "content-type" or "bcc" in the inputs isn't a problem. The danger is having those at the beginning of a line and only in fields that get put into the email headers. So, this vulnerability can be solved by removing white space characters other than regular spaces from any field going into the email headers. Or better yet, only allowing letters, numbers, spaces and a few punctuation type characters. Non Issue: $var = "Content-type: crack"; $subject = "Subject: $var"; Real Issue: $var = "You're about to be cracked\r\nContent-type: crack"; $subject = "Subject: $var"; --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From edwardpotter at gmail.com Mon Sep 12 12:29:12 2005 From: edwardpotter at gmail.com (edward potter) Date: Mon, 12 Sep 2005 12:29:12 -0400 Subject: [nycphp-talk] PHPWiki In-Reply-To: References: <43242A1B.4050102@magpie.com> Message-ID: i'm also a covert to MediaWiki. I would LOVE to see an O'Reilly book on MediaWiki __ the code is super-tight, hardcore php and it usually takes me an afternoon just to figure what a procedure may be doing (kinda of like osCommerce). I was wondering if anyone has come across a good Programmers Guide to MediaWiki, yes i've googled it, have some links, but still kinda of piece meal. thanks, ed On 9/12/05, csnyder wrote: > > On 9/11/05, Steve Manes wrote: > > > Is v1.3 not ready for prime time or does it require PHP5? The > > installation docs are somewhat byzantine. Is there a better PHP > > alternative to PHPWiki? > > I'll second Tom's suggestion of MediaWiki. > > PHPWiki worked fine for me until I tried to upgrade to PHP5, which was > extremely unpleasant. > > > -- > Chris Snyder > http://chxo.com/ > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael.southwell at nyphp.org Mon Sep 12 12:41:12 2005 From: michael.southwell at nyphp.org (Michael Southwell) Date: Mon, 12 Sep 2005 12:41:12 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <20050912162018.GA22938@panix.com> References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> <20050912162018.GA22938@panix.com> Message-ID: <6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net> At 12:20 PM 9/12/2005, you wrote: >Hey Folks: > >On Mon, Sep 12, 2005 at 11:16:18AM -0400, Rolan Yang wrote: > > > Detection and Solution: > > The current bot-net probe is known to send its reply to one of several > > known email addresses on the following list. > >A list of addresses is the wrong approach. The email addresses are >variable and easy to change. More importantly, the content is the issue, >not the email address. The point is simply to identify which scripts have sent emails to the known-bad addresses; those are the vulnerable ones. > > Vulnerable scripts should be modified to properly filter input fields. > > Ken Robinson has posted a > > php example at: > > http://lists.nyphp.org/pipermail/talk/2005-September/016124.html > >That solution is less than perfect. First, it's case sensitive, so misses >things like "BcC", meaning str_ireplace() would be better. Second, it >catches things that don't need to be. There were other problems as well, which I noted in my polished version. We need an officially sanctioned version of the function before we can post anything. >The mere existence of "content-type" or "bcc" in the inputs isn't a >problem. The danger is having those at the beginning of a line and only >in fields that get put into the email headers. So, this vulnerability can >be solved by removing white space characters other than regular spaces >from any field going into the email headers. Or better yet, only allowing >letters, numbers, spaces and a few punctuation type characters. Michael Southwell, Vice President for Education New York PHP http://www.nyphp.com/training - In-depth PHP Training Courses From lists at zaunere.com Mon Sep 12 13:31:32 2005 From: lists at zaunere.com (Hans Zaunere) Date: Mon, 12 Sep 2005 13:31:32 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <43259BC2.4050604@omnistep.com> Message-ID: <0MKoyl-1EEs9W42VD-0003yN@mrelay.perfora.net> This is great Rolan, many thanks - I'll get it online right away... H Rolan Yang scribbled on Monday, September 12, 2005 11:16 AM: > Hans Zaunere wrote: > > > Another address I've seen is mhkoch321 at aol.com > > > > Rolan, and I think you're right about this problem not getting > > enough exposure. If you can write-up a couple of paragraphs about > > it, I'll post it on nyphp.org's frontpage. > > > Ok, here's the bulletin. If anyone would like to polish it up, feel > free to do so. I'm not good at writing this stuff. > > Problem: > Bot-net scanning underway to detect and log php scripts which are > vulnerable to a email header injection exploit. > > What is vulnerable: > PHP scripts which send email based on cgi input data should be > inspected for the vulnerability. > > Discussion: > A large scale distributed network of machines are currently being > employed to scan php based websites in search of scripts which are > vulnerable to a injection-style security exploit. The exploit permits > an attacker to send emails to arbitrary destinations. A common target > is the web based feedback form which submits an email to a designated > address, but could be any form which results in an email being sent. > The method used to exploit the vulnerability is by injection of email > headers into cgi form fields which are passed to the mail server. The > mail server then parses the headers and sends the email to the > address(es) designated in the maliciously injected headers. > > Exploit: > The bot-net script currently probes vulnerable scripts by injecting > malicious headers into cgi form fields. The headers forward an email > response to one of several target email address to which the hacker > has access. We assume the attacker is collecting a list of vulnerable > sites which may be used later as an open relay for spam or large > scale deployment of viruses/worms. > > For more information about the attack, please refer to: > http://securephp.damonkohler.com/index.php/Email_Injection (thank's to > Billy Reisinger for the link) > > A google search for the target emails reveals that scans have been > taking place since at least July 8, 2005 > > Detection and Solution: > The current bot-net probe is known to send its reply to one of several > known email addresses on the following list. > > Grep through your mail server logs for the list of emails. If any are > found, cross reference the time of the mailing to times in your web > server logs to help determine the exploitable script. > > grep -f exploitemails.txt /var/log/maillog (or wherever your mail log > is located) > > Vulnerable scripts should be modified to properly filter input fields. > Ken Robinson has posted a > php example at: > http://lists.nyphp.org/pipermail/talk/2005-September/016124.html > > To follow the mailing list thread on this topic, please visit: > http://lists.nyphp.org/pipermail/talk/2005-September/thread.html#16123 > > (we should build a list of these emails and publish them along with > this notification) > > Current list: > jrubin3546 at aol.com > mkoch321 at aol.com > wnacyiplay at aol.com > kshmng at aol.com > Homeiragtime at aol.com > bergkoch8 at aol.com > > ~Rolan Yang > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org From lists at zaunere.com Mon Sep 12 13:31:32 2005 From: lists at zaunere.com (Hans Zaunere) Date: Mon, 12 Sep 2005 13:31:32 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: Message-ID: <0MKoyl-1EEs9Z0ZJR-0003yN@mrelay.perfora.net> csnyder scribbled on Monday, September 12, 2005 11:07 AM: > On 9/12/05, Chris Shiflett wrote: > > > With such a list, you can pretty much do whatever you please - you > > can even try injecting content into each variable name as a variety > > of types - GET data, POST data, cookies, etc. > > > > So, as developers, we must necessarily give away a lot of > > information about our applications. This makes our job even harder. It's the nature of the beast and shouldn't be feared - a good Internet developer should always assume that their application will be exposed to unexpected circumstances. And especially in a web environment, it should always be assumed that the most common of the unexpected circumstances will be direct/raw access to the application, ie, not using a browser. > The web is the most insecure environment ever invented for > applications. Your entire *public* interface is transparently exposed > to any and all attackers, both human and scripted, 24x7 worldwide. > > Spam bots like the one described in this thread are just the > beginning, I think. Sorry for the fear-mongering, what can PHP do to > protect us? I'm not sure it's PHP's responsibility. Is it C's responsibility that you don't overstep memory bounds? Sure, some will argue that it is, and while this is more a matter of opinion, I'm of the school that a language should provide the tools, and let the developer be responsible for the implementation. Many times, these tools should be available as a library, rather than the language itself. From past PHP features - like magic quotes and register globals - I think we've seen that language supplied convenience can be more of a hindrance, than an aid. There's a fine line between the language itself doing something, and the library that does something (thus the moving of many PHP extensions from the core language into PECL). A web developer has to understand that their application isn't subject to access solely through a browser. Countless times I've seen lights go off in people's heads when I've asked "what would happen if I telnet into your web server and start sending HTTP crafted headers?" The lights are often followed by open eyes and then intense code work :) --- Hans Zaunere / President / New York PHP www.nyphp.org / www.nyphp.com From dmintz at davidmintz.org Mon Sep 12 14:24:07 2005 From: dmintz at davidmintz.org (David Mintz) Date: Mon, 12 Sep 2005 14:24:07 -0400 (EDT) Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <43248C2F.8030006@omnistep.com> References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> <43248C2F.8030006@omnistep.com> Message-ID: I am a little confused about how my contact.php has been abused, or whether the attack actually succeeded or just annoyed me. There are fields for contact data such as phone number etc but these are validated and then end up as part of the message body. The To (site owner, and me) and Subject headers are hard-coded. The user-supplied email goes into Reply-to header as a convenience to the ultimate human receiver. However, that email is validated against this regex by HTML_QuickForm: /^((\"[^\"\f\n\r\t\v\b]+\")|([\w\!\#\$\%\&\'\*\+\-\~\/\^\`\|\{\}]+(\.[\w\!\#\$\%\&\'\*\+\-\~\/\^\`\|\{\}]+)*))@((\[(((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9])))\])|(((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9])))|((([A-Za-z0-9\-])+\.)+[A-Za-z\-]+))$/ It isn't optimized for readability but I really don't think you can slip newlines and "\r\nCc: whatever at example.org" and 'Content-type:...' in there. Messages come to me like the following (site domain name changed for discretion's sake). I looks like the nasty part only made it into the message body. Does this nevertheless mean the mail function actually sent mail to the now famous jrubin3546 at aol.com? Date: 11 Sep 2005 16:55:58 -0000 From: webmaster at example.org Reply-To: jkbfi at example.org To: site-owner at example.org, dmintz at davidmintz.org Subject: EXAMPLE Mailing List The following request to be added to the EXAMPLE mailing list was submitted via EXAMPLE.org on 11-Sep-2005 at 12:55 pm jkbfi at example.org, jkbfi at example.org jkbfi at example.org Content-Type: multipart/mixed; boundary="===============2144621942==" MIME-Version: 1.0 Subject: a29babd0 To: jkbfi at example.org bcc: jrubin3546 at aol.com From: jkbfi at example.org This is a multi-part message in MIME format. --===============2144621942== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit bsmiaujtd --===============2144621942==-- jkbfi at example.org jkbfi at example.org jkbfi at example.org jkbfi at example.org jkbfi at example.org, jkbfi at example.org jkbfi at example.org Business phone jkbfi at example.org Business fax jkbfi at example.org Cellular jkbfi at example.org Home phone jkbfi at example.org Email jkbfi at example.org [end example] Meawhile I have hardened this script along the lines suggested by Hans Z et al and started logging the state of the input after validation on every invocation of the script, and these logs show that the bot is being thwarted and the script is exiting harmlessly, so thank you very much. I think it's time to propose some white-list style regexps instead of trying to filter out the evil stuff (thanks Shiflett). For example, would you agree that a proper name (of a person) in most any Western European language ought to pass this test? function checkProperName($name) { return preg_match("/[^a-zA-Z\xC0-\xFF .,'-]/",$name) == false; } --- David Mintz http://davidmintz.org/ From danielc at analysisandsolutions.com Mon Sep 12 14:35:30 2005 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Mon, 12 Sep 2005 14:35:30 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net> References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> <20050912162018.GA22938@panix.com> <6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net> Message-ID: <20050912183529.GA1332@panix.com> Hi Michael: On Mon, Sep 12, 2005 at 12:41:12PM -0400, Michael Southwell wrote: > At 12:20 PM 9/12/2005, you wrote: > > >A list of addresses is the wrong approach. The email addresses are > >variable and easy to change. More importantly, the content is the issue, > >not the email address. > > The point is simply to identify which scripts have sent emails to the > known-bad addresses; those are the vulnerable ones. I'm afraid that will lead people into both a false sense of security and using email address blacklists. Folks should audit their email scripts, period. > There were other problems as well, which I noted in my polished > version. We need an officially sanctioned version of the function > before we can post anything. Agreed. Here's what I think is a good starting point for discussion... "); ?> --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From mail at billyreisinger.com Mon Sep 12 14:36:19 2005 From: mail at billyreisinger.com (Billy Reisinger) Date: Mon, 12 Sep 2005 14:36:19 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> <43248C2F.8030006@omnistep.com> Message-ID: <4325CAA3.4000304@billyreisinger.com> Dear David: The attacker only needs to slip a mail header in _any_ of the variables passed to mail(); not just a Reply-to: header. In brief, this attack works due to a "feature" of MIME headers which allow you to have duplicate header entries (i.e. To:, Reply-to:, etc) in _any_order_ in the mail header. In fact, the attacker can stop a mail message in the middle of the message body and begin an entirely new message! For a more thorough (and cogent) explanation of this vulnerability, head on over to http://securephp.damonkohler.com/index.php/Email_Injection . It's kind of a funky problem to get your brain around. I agree that the community needs some sort of standardized solution to squash this problem once and for all! David Mintz wrote: >I am a little confused about how my contact.php has been abused, or >whether the attack actually succeeded or just annoyed me. > >There are fields for contact data such as phone number etc but these are >validated and then end up as part of the message body. > >The To (site owner, and me) and Subject headers are hard-coded. The >user-supplied email goes into Reply-to header as a convenience to the >ultimate human receiver. However, that email is validated against this >regex by HTML_QuickForm: > >/^((\"[^\"\f\n\r\t\v\b]+\")|([\w\!\#\$\%\&\'\*\+\-\~\/\^\`\|\{\}]+(\.[\w\!\#\$\%\&\'\*\+\-\~\/\^\`\|\{\}]+)*))@((\[(((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9])))\])|(((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9])))|((([A-Za-z0-9\-])+\.)+[A-Za-z\-]+))$/ > > >It isn't optimized for readability but I really don't think you can slip >newlines and "\r\nCc: whatever at example.org" and 'Content-type:...' in >there. Messages come to me like the following (site domain name changed >for discretion's sake). I looks like the nasty part only made it into the >message body. Does this nevertheless mean the mail function actually sent >mail to the now famous jrubin3546 at aol.com? > >Date: 11 Sep 2005 16:55:58 -0000 >From: webmaster at example.org >Reply-To: jkbfi at example.org >To: site-owner at example.org, dmintz at davidmintz.org >Subject: EXAMPLE Mailing List > >The following request to be added to the EXAMPLE mailing list was >submitted via EXAMPLE.org on 11-Sep-2005 at 12:55 pm > >jkbfi at example.org, jkbfi at example.org jkbfi at example.org >Content-Type: multipart/mixed; boundary="===============2144621942==" >MIME-Version: 1.0 >Subject: a29babd0 >To: jkbfi at example.org >bcc: jrubin3546 at aol.com >From: jkbfi at example.org > >This is a multi-part message in MIME format. > >--===============2144621942== >Content-Type: text/plain; charset="us-ascii" >MIME-Version: 1.0 >Content-Transfer-Encoding: 7bit > >bsmiaujtd >--===============2144621942==-- >jkbfi at example.org >jkbfi at example.org >jkbfi at example.org >jkbfi at example.org >jkbfi at example.org, jkbfi at example.org jkbfi at example.org > >Business phone jkbfi at example.org >Business fax jkbfi at example.org >Cellular jkbfi at example.org >Home phone jkbfi at example.org >Email jkbfi at example.org > >[end example] > >Meawhile I have hardened this script along the lines suggested by Hans Z >et al and started logging the state of the input after validation on every >invocation of the script, and these logs show that the bot is being >thwarted and the script is exiting harmlessly, so thank you very much. > >I think it's time to propose some white-list style regexps instead of >trying to filter out the evil stuff (thanks Shiflett). For example, would >you agree that a proper name (of a person) in most any Western >European language ought to pass this test? > >function checkProperName($name) { > return preg_match("/[^a-zA-Z\xC0-\xFF .,'-]/",$name) == false; >} > >--- >David Mintz >http://davidmintz.org/ >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > > > > From mail at billyreisinger.com Mon Sep 12 14:38:23 2005 From: mail at billyreisinger.com (Billy Reisinger) Date: Mon, 12 Sep 2005 14:38:23 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <20050912183529.GA1332@panix.com> References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> <20050912162018.GA22938@panix.com> <6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net> <20050912183529.GA1332@panix.com> Message-ID: <4325CB1F.20602@billyreisinger.com> This eregi() is a good start - but like I said in a previous post, ALL variables should be checked this way, including subject and message! The cruel nature of this hack is that it works anywhere in the mail() function. Cheers, Billy Reisinger Daniel Convissor wrote: >Hi Michael: > >On Mon, Sep 12, 2005 at 12:41:12PM -0400, Michael Southwell wrote: > > >>At 12:20 PM 9/12/2005, you wrote: >> >> >> >>>A list of addresses is the wrong approach. The email addresses are >>>variable and easy to change. More importantly, the content is the issue, >>>not the email address. >>> >>> >>The point is simply to identify which scripts have sent emails to the >>known-bad addresses; those are the vulnerable ones. >> >> > >I'm afraid that will lead people into both a false sense of security and >using email address blacklists. Folks should audit their email scripts, >period. > > > > >>There were other problems as well, which I noted in my polished >>version. We need an officially sanctioned version of the function >>before we can post anything. >> >> > >Agreed. Here's what I think is a good starting point for discussion... > >// untested!!!! >// MUST do is_set() checks on all of these for first! >// left out for brevity. > >if (eregi('^[a-z0-9_.=+-]+@([a-z0-9-]+\.)+([a-z]{2,6})$', $_POST['address'])) { > $address = $_POST['address']; >} else { > echo 'bad email'; > exit; >} > >$name = eregi_replace("[^a-z .'-]", $_POST['name']); >$subject = eregi_replace("[^a-z .'-]", $_POST['subject']); >$message = htmlspecialchars($_POST['message']); > >@mail('me at example.com', $subject, $message, "From: $name <$address>"); >?> > >--Dan > > > From danielc at analysisandsolutions.com Mon Sep 12 15:08:08 2005 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Mon, 12 Sep 2005 15:08:08 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <4325CB1F.20602@billyreisinger.com> <4325CAA3.4000304@billyreisinger.com> References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> <20050912162018.GA22938@panix.com> <6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net> <20050912183529.GA1332@panix.com> <4325CB1F.20602@billyreisinger.com> <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> <43248C2F.8030006@omnistep.com> <4325CAA3.4000304@billyreisinger.com> Message-ID: <20050912190808.GA21414@panix.com> Hi Billy: On Mon, Sep 12, 2005 at 02:36:19PM -0400, Billy Reisinger wrote: > In fact, the attacker can stop a mail message in the > middle of the message body and begin an entirely new message! For a > more thorough (and cogent) explanation of this vulnerability, head on > over to http://securephp.damonkohler.com/index.php/Email_Injection . Huh?! Insert headers in the middle of the message body?! That doesn't make sense to me. I believe you're misinterpreting the article you mention. Perhaps I misunderstand things, but the way I see it, I can write "Content-Type: " in the middle of message until my fingers fall off and it won't have any impact. The problem is inserting that into the headers. On Mon, Sep 12, 2005 at 02:38:23PM -0400, Billy Reisinger wrote: > This eregi() is a good start - but like I said in a previous post, ALL > variables should be checked this way, including subject and message! > The cruel nature of this hack is that it works anywhere in the mail() > function. My (buggy, someone please fix it, I'm short on time now) pseudo-code clears invalid characters from the subject and name plus if the email address is bogus, halts execution. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From dmintz at davidmintz.org Mon Sep 12 15:10:19 2005 From: dmintz at davidmintz.org (David Mintz) Date: Mon, 12 Sep 2005 15:10:19 -0400 (EDT) Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <4325CAA3.4000304@billyreisinger.com> References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> <43248C2F.8030006@omnistep.com> <4325CAA3.4000304@billyreisinger.com> Message-ID: On Mon, 12 Sep 2005, Billy Reisinger wrote: > The attacker only needs to slip a mail header in _any_ of the variables > passed to mail(); not just a Reply-to: header. In brief, this attack > works due to a "feature" of MIME headers which allow you to have > duplicate header entries (i.e. To:, Reply-to:, etc) in _any_order_ in > the mail header. In fact, the attacker can stop a mail message in the > middle of the message body and begin an entirely new message! For a > more thorough (and cogent) explanation of this vulnerability, head on > over to http://securephp.damonkohler.com/index.php/Email_Injection . > It's kind of a funky problem to get your brain around. I agree that the > community needs some sort of standardized solution to squash this > problem once and for all! OK, thank you. The picture is getting clearer. I did look at that article but did not read the whole thing thoroughly enough to pick up this important point (my bad). The takeaway seems to be: always validate the hell out of everything no matter what, period. Gee, sounds kind of familiar doesn't it. --- David Mintz http://davidmintz.org/ From chsnyder at gmail.com Mon Sep 12 15:48:40 2005 From: chsnyder at gmail.com (csnyder) Date: Mon, 12 Sep 2005 15:48:40 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <20050912190808.GA21414@panix.com> References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <20050912162018.GA22938@panix.com> <6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net> <20050912183529.GA1332@panix.com> <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> <43248C2F.8030006@omnistep.com> <4325CB1F.20602@billyreisinger.com> <4325CAA3.4000304@billyreisinger.com> <20050912190808.GA21414@panix.com> Message-ID: On 9/12/05, Daniel Convissor wrote: > Hi Billy: > > On Mon, Sep 12, 2005 at 02:36:19PM -0400, Billy Reisinger wrote: > > In fact, the attacker can stop a mail message in the > > middle of the message body and begin an entirely new message! For a > > more thorough (and cogent) explanation of this vulnerability, head on > > over to http://securephp.damonkohler.com/index.php/Email_Injection . > > Huh?! Insert headers in the middle of the message body?! That doesn't > make sense to me. I believe you're misinterpreting the article you > mention. Perhaps I misunderstand things, but the way I see it, I can > write "Content-Type: " in the middle of message until my fingers > fall off and it won't have any impact. The problem is inserting that into > the headers. > The article is dangerously ambiguous on this point, but I think you're right on here, Dan. In order to insert new MIME parts into the message body, you need to be able to set the boundary marker in the headers. So the message body itself is safe, provided your headers are properly sanitized. From mail at billyreisinger.com Mon Sep 12 15:52:48 2005 From: mail at billyreisinger.com (Billy Reisinger) Date: Mon, 12 Sep 2005 15:52:48 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <20050912190808.GA21414@panix.com> References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> <20050912162018.GA22938@panix.com> <6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net> <20050912183529.GA1332@panix.com> <4325CB1F.20602@billyreisinger.com> <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> <43248C2F.8030006@omnistep.com> <4325CAA3.4000304@billyreisinger.com> <20050912190808.GA21414@panix.com> Message-ID: <4325DC90.1000607@billyreisinger.com> Daniel Convissor wrote: >Huh?! Insert headers in the middle of the message body?! That doesn't >make sense to me. I believe you're misinterpreting the article you >mention. Perhaps I misunderstand things, but the way I see it, I can >write "Content-Type: " in the middle of message until my fingers >fall off and it won't have any impact. The problem is inserting that into >the headers. > > I know, it's weird; unfortunately, it's true. There's a specific little hack of the Content-type header that lets the hacker do a multi-part message. If you scroll down to about the bottom of the article I mentioned, it goes over it in detail. Again, kind of a brainteaser of a hack, so it's worth sitting down and reading in detail. > >My (buggy, someone please fix it, I'm short on time now) pseudo-code >clears invalid characters from the subject and name plus if the email >address is bogus, halts execution. > >--Dan > Got it. I misread your previous post! Cheers, Billy Reisinger From greg.rundlett at gmail.com Mon Sep 12 16:54:51 2005 From: greg.rundlett at gmail.com (Greg Rundlett) Date: Mon, 12 Sep 2005 16:54:51 -0400 Subject: [nycphp-talk] PHPWiki In-Reply-To: References: <43242A1B.4050102@magpie.com> Message-ID: <5e2aaca4050912135473ae1658@mail.gmail.com> On 9/12/05, edward potter wrote: > > I was wondering if anyone has come across a good Programmers Guide to > MediaWiki, yes i've googled it, have some links, but still kinda of piece > meal. I used to follow the (mediawiki) developers list daily. One thing I can tell you is that the project lead Brion Vibber is amazing at how many questions he fields individually. If no other documentation exists, then you need to search the list archives and will invariably come up with the information you seek. If the question has never been asked, then I'm sure that Brion, or another dev would answer. All of that being said, one of my pet peeves is that the OpenSource world in general does a great job of producing code, but is all-to-often lacking in architectural and other types of documentation for both developers and users alike--even when projects take up the task of producing it. It's still a very uphill battle for lots of valid reasons (constant maintenance, volunteer effort). -------------- next part -------------- An HTML attachment was scrubbed... URL: From danielc at analysisandsolutions.com Mon Sep 12 18:07:05 2005 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Mon, 12 Sep 2005 18:07:05 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <4325DC90.1000607@billyreisinger.com> References: <20050912162018.GA22938@panix.com> <6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net> <20050912183529.GA1332@panix.com> <4325CB1F.20602@billyreisinger.com> <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> <43248C2F.8030006@omnistep.com> <4325CAA3.4000304@billyreisinger.com> <20050912190808.GA21414@panix.com> <4325DC90.1000607@billyreisinger.com> Message-ID: <20050912220705.GA18012@panix.com> Hi Billy: > I know, it's weird; unfortunately, it's true. There's a specific little > hack of the Content-type header that lets the hacker do a multi-part > message. If you scroll down to about the bottom of the article I > mentioned, it goes over it in detail. You seem to be misinterpreting the article. The crack only works if they can get the "Content-Type: multipart/mixed;" into the _header_, at the beginning of a new line. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From mjdewitt at alexcommgrp.com Mon Sep 12 18:15:22 2005 From: mjdewitt at alexcommgrp.com (DeWitt, Michael) Date: Mon, 12 Sep 2005 18:15:22 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? Message-ID: > -----Original Message----- > From: csnyder [SMTP:chsnyder at gmail.com] > Sent: Monday, September 12, 2005 3:49 PM > To: NYPHP Talk > Subject: Re: [nycphp-talk] worm/virus's hammering feedback scripts? > > On 9/12/05, Daniel Convissor wrote: > > Hi Billy: > > > > On Mon, Sep 12, 2005 at 02:36:19PM -0400, Billy Reisinger wrote: > > > In fact, the attacker can stop a mail message in the > > > middle of the message body and begin an entirely new message! For a > > > more thorough (and cogent) explanation of this vulnerability, head on > > > over to http://securephp.damonkohler.com/index.php/Email_Injection . > > > > Huh?! Insert headers in the middle of the message body?! That doesn't > > make sense to me. I believe you're misinterpreting the article you > > mention. Perhaps I misunderstand things, but the way I see it, I can > > write "Content-Type: " in the middle of message until my > fingers > > fall off and it won't have any impact. The problem is inserting that > into > > the headers. > > > > The article is dangerously ambiguous on this point, but I think you're > right on here, Dan. In order to insert new MIME parts into the message > body, you need to be able to set the boundary marker in the headers. > > So the message body itself is safe, provided your headers are properly > sanitized. > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org From ps at pswebcode.com Mon Sep 12 18:22:20 2005 From: ps at pswebcode.com (Peter Sawczynec) Date: Mon, 12 Sep 2005 18:22:20 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: Message-ID: <013401c5b7e8$70eea1b0$6400a8c0@PeterStorm> What if unsanitized data including javascripting is inadvertently left in the message body and the web site process goes on to show an HTML page recap and confirmation back to the user, couldn't this pose an issue regarding what is in the email body? Peter -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of DeWitt, Michael Sent: Monday, September 12, 2005 6:15 PM To: 'NYPHP Talk' Subject: Re: [nycphp-talk] worm/virus's hammering feedback scripts? > -----Original Message----- > From: csnyder [SMTP:chsnyder at gmail.com] > Sent: Monday, September 12, 2005 3:49 PM > To: NYPHP Talk > Subject: Re: [nycphp-talk] worm/virus's hammering feedback scripts? > > On 9/12/05, Daniel Convissor wrote: > > Hi Billy: > > > > On Mon, Sep 12, 2005 at 02:36:19PM -0400, Billy Reisinger wrote: > > > In fact, the attacker can stop a mail message in the middle of the > > > message body and begin an entirely new message! For a more > > > thorough (and cogent) explanation of this vulnerability, head on > > > over to http://securephp.damonkohler.com/index.php/Email_Injection > > > . > > > > Huh?! Insert headers in the middle of the message body?! That > > doesn't make sense to me. I believe you're misinterpreting the > > article you mention. Perhaps I misunderstand things, but the way I > > see it, I can write "Content-Type: " in the middle of > > message until my > fingers > > fall off and it won't have any impact. The problem is inserting > > that > into > > the headers. > > > > The article is dangerously ambiguous on this point, but I think you're > right on here, Dan. In order to insert new MIME parts into the message > body, you need to be able to set the boundary marker in the headers. > > So the message body itself is safe, provided your headers are properly > sanitized. _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From prusak at gmail.com Mon Sep 12 21:55:40 2005 From: prusak at gmail.com (Ophir Prusak) Date: Mon, 12 Sep 2005 21:55:40 -0400 Subject: [nycphp-talk] PHP on Windows + MS SQL Server In-Reply-To: <20050910144208.GB21130@panix.com> References: <20050910144208.GB21130@panix.com> Message-ID: thanks all for the replies. ophir On 9/10/05, Daniel Convissor wrote: > Hey Ophir: > > On Fri, Sep 09, 2005 at 05:20:33PM -0400, Ophir Prusak wrote: > > > > I'm working at a windows shop where all of the data is on MS SQL server 2000 > > (using .asp and .aspx - .net) > > > > We're at the point where we're looking into adding PHP into the mix. > > PEAR DB works just dandy with MSSQL. Even if you don't want to use the > package, you may gain some insights from the source code. > > --Dan > > -- > T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y > data intensive web and database programming > http://www.AnalysisAndSolutions.com/ > 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From mail at billyreisinger.com Mon Sep 12 22:22:38 2005 From: mail at billyreisinger.com (Billy Reisinger) Date: Mon, 12 Sep 2005 22:22:38 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <20050912220705.GA18012@panix.com> References: <20050912162018.GA22938@panix.com> <6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net> <20050912183529.GA1332@panix.com> <4325CB1F.20602@billyreisinger.com> <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> <43248C2F.8030006@omnistep.com> <4325CAA3.4000304@billyreisinger.com> <20050912190808.GA21414@panix.com> <4325DC90.1000607@billyreisinger.com> <20050912220705.GA18012@panix.com> Message-ID: Dan - Apologies if I am being vague. Yes, the person has to get the hack into the Content-type: header, but if this _is_ accomplished, the attacker can append characters or data to the message body, from what I understand. We're splitting hairs, here. Cheers, Billy On Sep 12, 2005, at 6:07 PM, Daniel Convissor wrote: > Hi Billy: > > >> I know, it's weird; unfortunately, it's true. There's a specific >> little >> hack of the Content-type header that lets the hacker do a multi-part >> message. If you scroll down to about the bottom of the article I >> mentioned, it goes over it in detail. >> > > You seem to be misinterpreting the article. The crack only works > if they > can get the "Content-Type: multipart/mixed;" into the _header_, at the > beginning of a new line. > > --Dan > > -- > T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y > data intensive web and database programming > http://www.AnalysisAndSolutions.com/ > 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > > > From lists at zaunere.com Mon Sep 12 23:08:08 2005 From: lists at zaunere.com (Hans Zaunere) Date: Mon, 12 Sep 2005 23:08:08 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? POLISHED VERSION In-Reply-To: <6.2.3.4.2.20050912120926.0244d060@mail.optonline.net> Message-ID: <0MKp2t-1EF19U2ulD-000801@mrelay.perfora.net> I'm preparing to make the posting, but want to double check something. Please see below. Michael Southwell scribbled on Monday, September 12, 2005 12:15 PM: > I polished this up a bit. > > IMPORTANT: Ken's original function did not work in my testing, > because (1) the \ in \r and \n needed to be escaped, and (2) he had > the letter O instead of the numeral 0 in the hex numbers. Somebody > smarter than I am, please check carefully the modified version > included below. =========================== > > Problem: > Bot-net scanning to locate php scripts which are vulnerable to a email > header injection exploit. All PHP scripts which send email based on > input data are vulnerable. > > Discussion: > A large scale distributed network of machines is currently being > employed to scan php-based websites in search of scripts which are Is this exploit PHP specific? Although I haven't confirmed, the nature of the vulnerability would appear to effect any mailing web form, in nearly any language. Can anyone provide additional details? --- Hans Zaunere / President / New York PHP www.nyphp.org / www.nyphp.com From kenrbnsn at rbnsn.com Mon Sep 12 23:20:42 2005 From: kenrbnsn at rbnsn.com (Ken Robinson) Date: Mon, 12 Sep 2005 23:20:42 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? POLISHED VERSION In-Reply-To: <6.2.3.4.2.20050912120926.0244d060@mail.optonline.net> References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> <6.2.3.4.2.20050912120926.0244d060@mail.optonline.net> Message-ID: <6.2.5.4.2.20050912231541.06c89ca8@rbnsn.com> At 12:15 PM 9/12/2005, Michael Southwell wrote: >I polished this up a bit. > >IMPORTANT: Ken's original function did not work in my testing, >because (1) the \ in \r and \n needed to be escaped, and (2) he had >the letter O instead of the numeral 0 in the hex numbers. Somebody >smarter than I am, please check carefully the modified version included below. I'm curious as to why you think that the \ in \r and \n need to be escaped? I am really searching for and removing "\n" and "\r" characters in the string. In my tests this has worked and prevented the spam tests from getting out. The spambots are still hitting the one site I've made the modifications on. Their not hitting any of my other sites (yet) and I have been working on getting the fix into them. BTW, I've noticed that they putting their malicious code in any and/or all of the posted variables including "submit". Another attempt I've seen was where the referer was a file I don't have. That one was easy to stop. Ken Robinson From krook at us.ibm.com Mon Sep 12 23:43:01 2005 From: krook at us.ibm.com (Daniel Krook) Date: Mon, 12 Sep 2005 23:43:01 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? POLISHED VERSION In-Reply-To: <0MKp2t-1EF19U2ulD-000801@mrelay.perfora.net> Message-ID: > Is this exploit PHP specific? Although I haven't > confirmed, the nature of > the vulnerability would appear to effect any mailing web > form, in nearly any > language. Can anyone provide additional details? Hmm, An interesting question... >From my experience developing feedback forms in Java using the JavaMail API, the "to" or "from" email addresses are of the type javax.mail.internet.InternetAddress, which takes a String in its constructor and throws an exception (javax.mail.internet.AddressException) if the address can not be parsed in RFC822 format (the default): http://java.sun.com/products/javamail/javadocs/javax/mail/internet/InternetAddress.html#InternetAddress(java.lang.String) These InternetAddress objects are normally given to an instance of type javax.mail.internet.MimeMessage which is itself given an instance of javax.mail.Session. You often set MimeMessage's recipients with methods which take InternetAddresses, but can also take raw Strings. The setSubject method of MimeMessage takes Strings, and it explicitly notes in the Javadoc that "The application must ensure that the subject does not contain any line breaks", which seems to suggest that it is also known to be vulnerable to an exploit of this nature. http://java.sun.com/products/javamail/javadocs/javax/mail/internet/MimeMessage.html#setSubject(java.lang.String) So it would seem if you ventured past the parts of the JavaMail API which allow you to use Strings, instead of creating InternetAddress objects and hardcoding the subject, you would be "safe" from the exploit, but you should double check any methods that you are using that expect Strings. Daniel Krook, Advisory IT Specialist Application Development, Production Services - Tools, ibm.com Personal: http://info.krook.org/ BluePages: http://bluepages.redirect.webahead.ibm.com/ BlogPages: http://blogpages.redirect.webahead.ibm.com/ From krook at us.ibm.com Mon Sep 12 23:55:27 2005 From: krook at us.ibm.com (Daniel Krook) Date: Mon, 12 Sep 2005 23:55:27 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? POLISHED VERSION In-Reply-To: Message-ID: Sorry, This: > So it would seem if you ventured past the parts of the > JavaMail API which > allow you to use Strings, instead of creating > InternetAddress objects and > hardcoding the subject, you would be "safe" from the > exploit, but you > should double check any methods that you are using that > expect Strings. should read: So it would seem if you did *not* venture into the parts of the JavaMail API which allow you to use Strings, instead of creating InternetAddress objects and hardcoding the subject, you would be "safe" from the exploit. Otherwise, you should double check any methods that you are using that expect Strings. Daniel Krook, Advisory IT Specialist Application Development, Production Services - Tools, ibm.com Personal: http://info.krook.org/ BluePages: http://bluepages.redirect.webahead.ibm.com/ BlogPages: http://blogpages.redirect.webahead.ibm.com/ From arzala at gmail.com Tue Sep 13 01:02:42 2005 From: arzala at gmail.com (Anirudh Zala (Gmail)) Date: Tue, 13 Sep 2005 10:32:42 +0530 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? Message-ID: <43265D72.2080007@gmail.com> -------- Original Message -------- Subject: Re: [nycphp-talk] worm/virus's hammering feedback scripts? Date: Tue, 13 Sep 2005 09:27:53 +0530 From: Anirudh Zala (Gmail) To: NYPHP Talk References: <0MKp2t-1EEVZL04AF-0004KA at mrelay.perfora.net> <43248C2F.8030006 at omnistep.com> <4324FB52.5010806 at omnistep.com> Rolan Yang wrote: >One more hint to all: > > If you are hosting php scripts for other people, or simply have too >many to comb through on your own server(s), grep your mail server log >for "jrubin3546 at aol.com". If you see any results, cross reference that >time with your web logs to locate the exploitable script. > >~Rolan >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > > We had same problem. But we had enough protection in our scripts against such exploitation. Ideally tracking any email address like Rolan asked might not be useful as Spammers often changes it time by time. Moreover when your hosting company is big or you have many websites running on your server then you can't monitor everything. Simplest solution to protect your scripts against such misuse is to use JS validation of your form fields, PHP validation using regexp function, Use of php functions like "htmlspecialchars, strip tags and stripslashes", and to use $_GET and $_POST super global instead of normal PHP style variables while using form variables. This implementation, according to me, gives you 90% protection against such exploitation. Below is snapshot of Error generated by one of our website. Please see that variables have been shown associateve arrays. =============================================================== Date and Time : 13-9-2005 00:00 Url : www.hameenautocenter.fi File path : /web/www.SOMETHING.com/.......... Logged in user/dealer : () User's IP : 216.194.16.226 Port : 1423 Request method : POST Query string : HTTP referer : http://www.hameenautocenter.fi/ DB server : Message between lines ---- shows real error string returnd by MySQL / class.rFastTemplate.php: -------------------------------------------------------------------------------------------------- load(2/22892.ihtml) failure: -------------------------------------------------------------------------------------------------- # Posted variables were: `thimg439051`=>`bgokwdpda at hameenautocenter.fi` `thimg289279`=>`bgokwdpda at hameenautocenter.fi` `thimg298836`=>`bgokwdpda at hameenautocenter.fi` `thimg434535`=>`bgokwdpda at hameenautocenter.fi` `thimg237515`=>`bgokwdpda at hameenautocenter.fi` `thimg336168`=>`bgokwdpda at hameenautocenter.fi` `thimg434511`=>`bgokwdpda at hameenautocenter.fi` `thimg439032`=>`bgokwdpda at hameenautocenter.fi` `thimg434437`=>`bgokwdpda at hameenautocenter.fi` `thimg257545`=>`bgokwdpda at hameenautocenter.fi` `thimg431994`=>`bgokwdpda at hameenautocenter.fi` `thimg314051`=>`bgokwdpda at hameenautocenter.fi` `thimg211000`=>`bgokwdpda at hameenautocenter.fi` `thimg281279`=>`bgokwdpda at hameenautocenter.fi` `thimg430744`=>`bgokwdpda at hameenautocenter.fi` `thimg432028`=>`bgokwdpda at hameenautocenter.fi Content-Type: multipart/mixed; boundary="===============0394946924==" MIME-Version: 1.0 Subject: e2fd8ef6 To: bgokwdpda at hameenautocenter.fi bcc: jrubin3546 at aol.com From: bgokwdpda at hameenautocenter.fi This is a multi-part message in MIME format. --===============0394946924== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit nlh --===============0394946924==-- ` `thimg177404`=>`bgokwdpda at hameenautocenter.fi` `thimg430719`=>`bgokwdpda at hameenautocenter.fi` `thimg430708`=>`bgokwdpda at hameenautocenter.fi` `thimg272427`=>`bgokwdpda at hameenautocenter.fi` `thimg364967`=>`bgokwdpda at hameenautocenter.fi` `thimg364964`=>`bgokwdpda at hameenautocenter.fi` `thimg236039`=>`bgokwdpda at hameenautocenter.fi` `thimg298846`=>`bgokwdpda at hameenautocenter.fi` `thimg439004`=>`bgokwdpda at hameenautocenter.fi` `thimg434460`=>`bgokwdpda at hameenautocenter.fi` `thimg281337`=>`bgokwdpda at hameenautocenter.fi` `thimg430694`=>`bgokwdpda at hameenautocenter.fi` `thimg430752`=>`bgokwdpda at hameenautocenter.fi` `thimg432070`=>`bgokwdpda at hameenautocenter.fi` `thimg432055`=>`bgokwdpda at hameenautocenter.fi` `thimg432036`=>`bgokwdpda at hameenautocenter.fi` `thimg268068`=>`bgokwdpda at hameenautocenter.fi` =============================================================== Thanks Anirudh Zala From yournway at gmail.com Tue Sep 13 04:17:15 2005 From: yournway at gmail.com (Alberto dos Santos) Date: Tue, 13 Sep 2005 09:17:15 +0100 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: <43265D72.2080007@gmail.com> References: <43265D72.2080007@gmail.com> Message-ID: Hans, and others: This thread has been one of the most enlightenling I've ever read on this lists imho, of course. Can you gurus please sum up all of these bright conclusions and add to the Storing Data Submitted From a Form and Displaying Data from a DatabasePHundamental? Or is this article already covering these issues with the scripts that feature in it? Thank you all. -- Alberto dos Santos Consultor em TI IT Consultant http://www.yournway.com A internet para o cidad?o comum. The Internet for the common citizen. -------------- next part -------------- An HTML attachment was scrubbed... URL: From danielc at analysisandsolutions.com Tue Sep 13 07:51:05 2005 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Tue, 13 Sep 2005 07:51:05 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? In-Reply-To: References: <20050912183529.GA1332@panix.com> <4325CB1F.20602@billyreisinger.com> <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> <43248C2F.8030006@omnistep.com> <4325CAA3.4000304@billyreisinger.com> <20050912190808.GA21414@panix.com> <4325DC90.1000607@billyreisinger.com> <20050912220705.GA18012@panix.com> Message-ID: <20050913115105.GA23908@panix.com> Hi Billy: On Mon, Sep 12, 2005 at 10:22:38PM -0400, Billy Reisinger wrote: > Yes, the person has to get the hack > into the Content-type: header, but if this _is_ accomplished, the > attacker can append characters or data to the message body, from what > I understand. We're splitting hairs, here. No, we're not. You said the user input for the body can't have "content-type" in it, which is false. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From mikko.rantalainen at peda.net Tue Sep 13 10:19:18 2005 From: mikko.rantalainen at peda.net (Mikko Rantalainen) Date: Tue, 13 Sep 2005 17:19:18 +0300 Subject: [nycphp-talk] Filtering input to be appended inside email In-Reply-To: <20050912183529.GA1332@panix.com> References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> <20050912162018.GA22938@panix.com> <6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net> <20050912183529.GA1332@panix.com> Message-ID: <4326DFE6.6@peda.net> Daniel Convissor wrote: > Hi Michael: > On Mon, Sep 12, 2005 at 12:41:12PM -0400, Michael Southwell wrote: >> >>The point is simply to identify which scripts have sent emails to the >>known-bad addresses; those are the vulnerable ones. > > I'm afraid that will lead people into both a false sense of security and > using email address blacklists. Folks should audit their email scripts, > period. I agree. Broken code is broken code. If you aren't sure if your email script works correctly, take it offline immediately. >>There were other problems as well, which I noted in my polished >>version. We need an officially sanctioned version of the function >>before we can post anything. > > Agreed. Here's what I think is a good starting point for discussion... > > // untested!!!! > // MUST do is_set() checks on all of these for first! > // left out for brevity. > > if (eregi('^[a-z0-9_.=+-]+@([a-z0-9-]+\.)+([a-z]{2,6})$', $_POST['address'])) { > $address = $_POST['address']; > } else { > echo 'bad email'; > exit; That looks pretty simple but it doesn't allow even nearly all valid email addresses. I'd rather create two functions like /** takes string $input_email and returns RFC 2822 section 3.4 compatible address or empty string if input cannot be handled. http://rfc.net/rfc2822.html#s3.4. */ function getSafeEmail($input_email) { ... return $safe_email; } and /** takes string $input_header and encodes it as a single header to be used for mailing. http://rfc.net/rfc2822.html#s2.2.3. */ function getSafeHeader($input_header) { ... return $safe_header; } and I'd put all input through these functions. Like $from = $_POST["FROM"] or so. ** Of these, the first one is much harder to implement correctly. A simple implementation could only accept limited addr-spec format of syntax dot-atom "@" dot-atom where the dot-atom is defined at http://rfc.net/rfc2822.html#s3.2.4. Note that this is much simpler than full address spec defined in http://rfc.net/rfc2822.html#s3.4. Note that this "simple" format wouldn't allow all valid email addresses but at least it would allow stuff like mikko.rantalainen+nyphp at peda.net unlike many complex regexes that are meant to filter email addresses. A simple, untested implementation would look like function getSafeEmail($input_email) { # http://rfc.net/rfc2822.html#s3.2.4. $dot_atom = "^a-z0-9!#\$%&'*/=?_`{|}~+-"; # filter extra characters off $safe_email = preg_replace("@[^{$dot_atom}]@gi","",$input_email); if (preg_match("@[{$dot_atom}](\.[{$dot_atom}])*\@[{$dot_atom}](\.[{$dot_atom}])+ at i",$safe_email)) return $safe_email; else return ""; # error } For the second function we have two possible ways to make sure that $input_header indeed contains exactly one valid header; either remove all line feeds from the input or append a space after every line feed which makes whole input a single header wrapped to multiple lines (http://rfc.net/rfc2822.html#s2.2.3.). I'll choose the latter method for this implementation. Again, this is untested. function getSafeHeader($input_header) { # split as defined in http://rfc.net/rfc2822.html#s2.2. list($name,$value) = explode(":",$input_header,2); # verify header name if (!preg_match("@^[".chr(33)."-".chr(126)."]+$@",$name)) return ""; # header cannot contain CRLF # our implementation strips out CRs, make sure all LFs # are safe and reinserts CRs $value = preg_replace("@\r@","",trim($value)); $value = preg_replace("@\n@","\n ",$value); $value = preg_replace("@\n@","\r\n",$value); $safe_header = $name.": ".$value."\r\n"; return $safe_header; } Body doesn't need to be handled unless you use HTML mail (shame on you), in which case all XSS issues are there waiting. -- Mikko From michael.southwell at nyphp.org Tue Sep 13 10:31:03 2005 From: michael.southwell at nyphp.org (Michael Southwell) Date: Tue, 13 Sep 2005 10:31:03 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? POLISHED VERSION In-Reply-To: <6.2.5.4.2.20050912231541.06c89ca8@rbnsn.com> References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> <6.2.3.4.2.20050912120926.0244d060@mail.optonline.net> <6.2.5.4.2.20050912231541.06c89ca8@rbnsn.com> Message-ID: <6.2.3.4.2.20050913102132.0249ddc8@mail.optonline.net> At 11:20 PM 9/12/2005, you wrote: >I'm curious as to why you think that the \ in \r and \n need to be >escaped? I am really searching for and removing "\n" and "\r" >characters in the string. In my tests this has worked and prevented >the spam tests from getting out. It didn't work for me (on Windows): References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> <6.2.3.4.2.20050912120926.0244d060@mail.optonline.net> <6.2.5.4.2.20050912231541.06c89ca8@rbnsn.com> Message-ID: On 9/12/05, Ken Robinson wrote: > At 12:15 PM 9/12/2005, Michael Southwell wrote: > >I polished this up a bit. > > > >IMPORTANT: Ken's original function did not work in my testing, > >because (1) the \ in \r and \n needed to be escaped, and (2) he had > >the letter O instead of the numeral 0 in the hex numbers. Somebody > >smarter than I am, please check carefully the modified version included below. > > I'm curious as to why you think that the \ in \r and \n need to be > escaped? I am really searching for and removing "\n" and "\r" > characters in the string. In my tests this has worked and prevented > the spam tests from getting out. The spambots are still hitting the > one site I've made the modifications on. Their not hitting any of my > other sites (yet) and I have been working on getting the fix into them. > > BTW, I've noticed that they putting their malicious code in any > and/or all of the posted variables including "submit". > > Another attempt I've seen was where the referer was a file I don't > have. That one was easy to stop. > I'm curious as to why we wouldn't just bail out and refuse to send the email at all if someone posted input with CR or LF in it? Seems to me that if you have a form with and you get a multiline $_POST['from'], then somebody is trying to get away with something. While not necessarily the case here, sometimes taking out something bad will create a situation where you're left with something worse. Sometimes it's better to be conservative and disallow input rather than try to sanitize it. -- Chris Snyder http://chxo.com/ From rolan at omnistep.com Tue Sep 13 10:57:33 2005 From: rolan at omnistep.com (Rolan Yang) Date: Tue, 13 Sep 2005 10:57:33 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? POLISHED VERSION In-Reply-To: References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> <6.2.3.4.2.20050912120926.0244d060@mail.optonline.net> <6.2.5.4.2.20050912231541.06c89ca8@rbnsn.com> Message-ID: <4326E8DD.1000401@omnistep.com> csnyder wrote: >I'm curious as to why we wouldn't just bail out and refuse to send the >email at all if someone posted input with CR or LF in it? > >Seems to me that if you have a form with name="from" /> and you get a multiline $_POST['from'], then somebody >is trying to get away with something. > >While not necessarily the case here, sometimes taking out something >bad will create a situation where you're left with something worse. >Sometimes it's better to be conservative and disallow input rather >than try to sanitize it. > > I am in total agreement here. Even though the messages were no longer a threat, we were awfully tired of seeing the flood of incoming garbage. Preventing the offending message from being sent also saves a lot of wear and tear on the "Delete" button. ~Rolan From danielc at analysisandsolutions.com Tue Sep 13 10:58:31 2005 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Tue, 13 Sep 2005 10:58:31 -0400 Subject: [nycphp-talk] Filtering input to be appended inside email In-Reply-To: <4326DFE6.6@peda.net> References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> <20050912162018.GA22938@panix.com> <6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net> <20050912183529.GA1332@panix.com> <4326DFE6.6@peda.net> Message-ID: <20050913145831.GA14467@panix.com> Hey Mikko: On Tue, Sep 13, 2005 at 05:19:18PM +0300, Mikko Rantalainen wrote: > > That looks pretty simple but it doesn't allow even nearly all valid > email addresses. I know. Particularly internationl domain names. :) > # header cannot contain CRLF > # our implementation strips out CRs, make sure all LFs > # are safe and reinserts CRs > $value = preg_replace("@\r@","",trim($value)); > $value = preg_replace("@\n@","\n ",$value); > $value = preg_replace("@\n@","\r\n",$value); That can be done in one call (untested): $value = preg_replace("/[\r\n]+/", "\r\n ", trim($value)); I see the point of this is putting a space at the beginning of the line so the input doesn't get interpreted as a new header line. But in my opinion, when user input is involved, allowing \r or \n isn't wise in the first place. > Body doesn't need to be handled unless you use HTML mail (shame on > you), in which case all XSS issues are there waiting. But some (many?) email clients are F'ing stupid. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From mikko.rantalainen at peda.net Tue Sep 13 11:11:13 2005 From: mikko.rantalainen at peda.net (Mikko Rantalainen) Date: Tue, 13 Sep 2005 18:11:13 +0300 Subject: [nycphp-talk] Filtering input to be appended inside email In-Reply-To: <20050913145831.GA14467@panix.com> References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> <20050912162018.GA22938@panix.com> <6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net> <20050912183529.GA1332@panix.com> <4326DFE6.6@peda.net> <20050913145831.GA14467@panix.com> Message-ID: <4326EC11.2080708@peda.net> Daniel Convissor wrote: > Mikko wrote: >>Body doesn't need to be handled unless you use HTML mail (shame on >>you), in which case all XSS issues are there waiting. > > But some (many?) email clients are F'ing stupid. Yes, but my point was that unless you're sending HTML mail from your server, there's no need to filter body. Or at least I'm not aware of any exploitable MUA when the input type is text/plain. -- Mikko From suzerain at suzerain.com Tue Sep 13 15:23:20 2005 From: suzerain at suzerain.com (Marc Antony Vose) Date: Tue, 13 Sep 2005 15:23:20 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? POLISHED VERSION In-Reply-To: References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> <6.2.3.4.2.20050912120926.0244d060@mail.optonline.net> <6.2.5.4.2.20050912231541.06c89ca8@rbnsn.com> Message-ID: At 10:43 AM -0400 9/13/05, csnyder wrote: > > >I'm curious as to why we wouldn't just bail out and refuse to send the >email at all if someone posted input with CR or LF in it? > >Seems to me that if you have a form with name="from" /> and you get a multiline $_POST['from'], then somebody >is trying to get away with something. > At first this was freaking me out, too, but I just wanted to chime in and say this is my preferred solution to this problem as well. I think if you receive any input that looks fishy (by whatever test you choose...multiline 'from' lines seem like a good place to start), you should just not send the email, and show your users "Sorry, try again" or something. Cheers, -- Marc Antony Vose http://www.suzerain.com/ Poetry atrophies when it gets too far from music. -- Ezra Pound From orgcomp at yahoo.com Tue Sep 13 17:16:52 2005 From: orgcomp at yahoo.com (m o) Date: Tue, 13 Sep 2005 14:16:52 -0700 (PDT) Subject: [nycphp-talk] shtml Message-ID: <20050913211652.28184.qmail@web36212.mail.mud.yahoo.com> I working on a migration of a data base from linux to windows. to track clients needs for the Salvation Army. I'm have one big problem with the shtml playing right. I have PHP 4.3.2 running on windows with apache 2.0.54 and postgresql 8.0. Why I write you is maybe you would know how to make shtml a stream on PHP. Ive had a hard time trying to get shtml to play nice. What INI need to be changed to make it work.. I can send copy of the ini if needed. __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From chsnyder at gmail.com Tue Sep 13 18:42:15 2005 From: chsnyder at gmail.com (csnyder) Date: Tue, 13 Sep 2005 18:42:15 -0400 Subject: [nycphp-talk] shtml In-Reply-To: <20050913211652.28184.qmail@web36212.mail.mud.yahoo.com> References: <20050913211652.28184.qmail@web36212.mail.mud.yahoo.com> Message-ID: On 9/13/05, m o wrote: > I working on a migration of a data base from linux to > windows. to track clients needs for the Salvation > Army. > I'm have one big problem with the shtml playing right. > I have PHP 4.3.2 running on windows with apache 2.0.54 > and postgresql 8.0. > Why I write you is maybe you would know how to make > shtml > a stream on PHP. Ive had a hard time trying to get > shtml to play nice. > What INI need to be changed to make it work.. I can > send copy of the ini if > needed. Make shtml a stream in PHP... can you give us a better description of what you're trying to do? If you're talking about server-side includes, then the answer is that (generally speaking), you can use Apache includes, or PHP, but not both together in the same request. Or at least, you couldn't back in the day... There may be some way to use filters in Apache2 that would allow the server to execute a document as PHP code first, and then act on server-side include directives in the resulting output... does that sound like what you want? It might make a big difference whether the PHP is in the requested document, or in the include, or both. -- Chris Snyder http://chxo.com/ From hendler at simmons.edu Tue Sep 13 19:11:19 2005 From: hendler at simmons.edu (Jonathan) Date: Tue, 13 Sep 2005 19:11:19 -0400 Subject: [nycphp-talk] Zend certification In-Reply-To: References: <20050913211652.28184.qmail@web36212.mail.mud.yahoo.com> Message-ID: <43275C97.6020909@simmons.edu> Hi all, After 5 years of using PHP I took the Zend certification exam and passed. Like the last sentence, it was a little anti-climactic. I don't know my score and would like to - I think. Over all I thought the test was fine for a low to mid level cert - but it wasn't enterprise level and somewhat jokingly I'd say it didn't make me feel like the as-advertised engineer. I don't want to sound too critical - overall, I am glad to see a certification program exists and it's not a bad start. I would think to be a zend engineer there is a whole other tier of applications, external libraries, and PHP 5 items that would be great for the next level certification. - Jonathan Hendler From codebowl at gmail.com Tue Sep 13 20:17:01 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Tue, 13 Sep 2005 20:17:01 -0400 Subject: [nycphp-talk] Zend certification In-Reply-To: <43275C97.6020909@simmons.edu> References: <20050913211652.28184.qmail@web36212.mail.mud.yahoo.com> <43275C97.6020909@simmons.edu> Message-ID: <8d9a428005091317171dc6705e@mail.gmail.com> I am looking to schedule my test, can you tell me about how long it takes for the test? -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From dmintz at davidmintz.org Tue Sep 13 20:46:29 2005 From: dmintz at davidmintz.org (David Mintz) Date: Tue, 13 Sep 2005 20:46:29 -0400 (EDT) Subject: [nycphp-talk] Zend certification In-Reply-To: <43275C97.6020909@simmons.edu> References: <20050913211652.28184.qmail@web36212.mail.mud.yahoo.com> <43275C97.6020909@simmons.edu> Message-ID: On Tue, 13 Sep 2005, Jonathan wrote: > Hi all, > > After 5 years of using PHP I took the Zend certification exam and passed. Yay! --- David Mintz http://davidmintz.org/ From prusak at gmail.com Tue Sep 13 21:36:01 2005 From: prusak at gmail.com (Ophir Prusak) Date: Tue, 13 Sep 2005 21:36:01 -0400 Subject: [nycphp-talk] Zend certification In-Reply-To: <43275C97.6020909@simmons.edu> References: <20050913211652.28184.qmail@web36212.mail.mud.yahoo.com> <43275C97.6020909@simmons.edu> Message-ID: Congrats ! As someone who previously taught PHP for Zend, a few comments. Some of the people who wrote the test are on this list, so I'm sure they can give you the "official" reply. The way I see it, it's really more of door opener than a deal closer. PHP is "notorious" for having people who call themselves PHP programmers but don't know the first thing about computer science concepts. See http://www.prusak.com/archives/2004-11-04/how-did-we-get-here/ for more details. Just because someone passed the Zend certification doesn't make them a good programmer, but it does mean: 1 - They take their commitment to PHP seriously 2 - They're aren't just a front end developer who's read a few articles about PHP on the web. I've interviewed many people for junior programming positions, and some people will just about lie to get their foot in the door. Ophir On 9/13/05, Jonathan wrote: > Hi all, > > After 5 years of using PHP I took the Zend certification exam and passed. > Like the last sentence, it was a little anti-climactic. > I don't know my score and would like to - I think. > Over all I thought the test was fine for a low to mid level cert - but > it wasn't enterprise level and somewhat jokingly I'd say it didn't make > me feel like the as-advertised engineer. > I don't want to sound too critical - overall, I am glad to see a > certification program exists and it's not a bad start. > I would think to be a zend engineer there is a whole other tier of > applications, external libraries, and PHP 5 items that would be great > for the next level certification. > > - Jonathan Hendler > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From chris at theyellowbox.com Tue Sep 13 23:36:01 2005 From: chris at theyellowbox.com (Chris Merlo) Date: Tue, 13 Sep 2005 23:36:01 -0400 Subject: [nycphp-talk] Zend certification In-Reply-To: References: <20050913211652.28184.qmail@web36212.mail.mud.yahoo.com> <43275C97.6020909@simmons.edu> Message-ID: <946586480509132036e05c443@mail.gmail.com> On 9/13/05, Ophir Prusak wrote: I've interviewed many people for junior programming positions, and > some people will just about lie to get their foot in the door. Just curious, since I teach CS and CIS at the college level: Could you ballpark for me what percentage of candidates, and what percentage of people you actually hire, have associates and bachelors degrees? I'd be much appreciative. -c -- chris at theyellowbox.com http://www.theyellowbox.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From 1j0lkq002 at sneakemail.com Tue Sep 13 23:47:49 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Tue, 13 Sep 2005 20:47:49 -0700 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? POLISHED VERSION In-Reply-To: References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> <6.2.3.4.2.20050912120926.0244d060@mail.optonline.net> <6.2.5.4.2.20050912231541.06c89ca8@rbnsn.com> Message-ID: <7291-49880@sneakemail.com> Marc Antony Vose suzerain-at-suzerain.com |nyphp dev/internal group use| wrote: >At 10:43 AM -0400 9/13/05, csnyder wrote: > > >>I'm curious as to why we wouldn't just bail out and refuse to send the >>email at all if someone posted input with CR or LF in it? >> >>Seems to me that if you have a form with >name="from" /> and you get a multiline $_POST['from'], then somebody >>is trying to get away with something. >> >> >> > > >At first this was freaking me out, too, but I just wanted to chime in >and say this is my preferred solution to this problem as well. > >I think if you receive any input that looks fishy (by whatever test >you choose...multiline 'from' lines seem like a good place to start), >you should just not send the email, and show your users "Sorry, try >again" or something. > >Cheers, > > > Thanks for the enlightening discussion. While I agree completely with pro-active judging of input data, there are cases where users cut-n-paste data into form fields (from Word, for example) and inadvertently transfer all sorts of garbage (including CR/LF stuff). -=john andrews http://www.seo-fun.com From hendler at simmons.edu Wed Sep 14 01:06:13 2005 From: hendler at simmons.edu (Jonathan) Date: Wed, 14 Sep 2005 01:06:13 -0400 Subject: [nycphp-talk] Zend certification In-Reply-To: <8d9a428005091317171dc6705e@mail.gmail.com> References: <20050913211652.28184.qmail@web36212.mail.mud.yahoo.com> <43275C97.6020909@simmons.edu> <8d9a428005091317171dc6705e@mail.gmail.com> Message-ID: <4327AFC5.6030508@simmons.edu> If I remember correctly you are given 80 minutes for 70 questions. Joseph Crawford wrote: > I am looking to schedule my test, can you tell me about how long it > takes for the test? > > -- > Joseph Crawford Jr. > Codebowl Solutions, Inc. > 1-802-671-2021 > codebowl at gmail.com > >------------------------------------------------------------------------ > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > From lists at zaunere.com Wed Sep 14 07:16:29 2005 From: lists at zaunere.com (Hans Zaunere) Date: Wed, 14 Sep 2005 07:16:29 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts?POLISHED VERSION In-Reply-To: Message-ID: <0MKoyl-1EFVFc47SS-0007Bk@mrelay.perfora.net> Daniel Krook scribbled on Monday, September 12, 2005 11:43 PM: > > Is this exploit PHP specific? Although I haven't > > confirmed, the nature of > > the vulnerability would appear to effect any mailing web > > form, in nearly any > > language. Can anyone provide additional details? > > > Hmm, > > An interesting question... > > > From my experience developing feedback forms in Java using the > > JavaMail > API, the "to" or "from" email addresses are of the type > javax.mail.internet.InternetAddress, which takes a String in its > constructor and throws an exception > (javax.mail.internet.AddressException) if the address can not be > parsed in RFC822 format (the default): > > http://java.sun.com/products/javamail/javadocs/javax/mail/internet/InternetA ddress.html#InternetAddress(java.lang.String) > > These InternetAddress objects are normally given to an instance of > type javax.mail.internet.MimeMessage which is itself given an > instance of javax.mail.Session. You often set MimeMessage's > recipients with methods which take InternetAddresses, but can also > take raw Strings. > > The setSubject method of MimeMessage takes Strings, and it explicitly > notes in the Javadoc that "The application must ensure that the > subject does not contain any line breaks", which seems to suggest > that it is also known to be vulnerable to an exploit of this nature. > > http://java.sun.com/products/javamail/javadocs/javax/mail/internet/MimeMessa ge.html#setSubject(java.lang.String) > > So it would seem if you ventured past the parts of the JavaMail API > which allow you to use Strings, instead of creating InternetAddress > objects and hardcoding the subject, you would be "safe" from the > exploit, but you should double check any methods that you are using > that expect Strings. Good point - looks like justification for a wrapper class for the mail() function in PHP. We're working on getting a Phundamentals article online covering the discussion over the last couple of days. Thanks Roland and everyone for their feedback and discussion. --- Hans Zaunere / President / New York PHP www.nyphp.org / www.nyphp.com From dmintz at davidmintz.org Wed Sep 14 11:20:13 2005 From: dmintz at davidmintz.org (David Mintz) Date: Wed, 14 Sep 2005 11:20:13 -0400 (EDT) Subject: [nycphp-talk] worm/virus's hammering feedback scripts?POLISHED VERSION In-Reply-To: <0MKoyl-1EFVFc47SS-0007Bk@mrelay.perfora.net> References: <0MKoyl-1EFVFc47SS-0007Bk@mrelay.perfora.net> Message-ID: On Wed, 14 Sep 2005, Hans Zaunere wrote: > > > > So it would seem if you ventured past the parts of the JavaMail API > > which allow you to use Strings, instead of creating InternetAddress > > objects and hardcoding the subject, you would be "safe" from the > > exploit, but you should double check any methods that you are using > > that expect Strings. > > Good point - looks like justification for a wrapper class for the mail() > function in PHP. > > We're working on getting a Phundamentals article online covering the > discussion over the last couple of days. Thanks Roland and everyone for > their feedback and discussion. And that class would sanitize message headers only, or the body as well? I am still unclear whether evil stuff in the body can spawn a completely new message. --- David Mintz http://davidmintz.org/ From hendler at simmons.edu Wed Sep 14 14:46:49 2005 From: hendler at simmons.edu (Jonathan) Date: Wed, 14 Sep 2005 14:46:49 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts? POLISHED VERSION In-Reply-To: References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> <6.2.3.4.2.20050912120926.0244d060@mail.optonline.net> <6.2.5.4.2.20050912231541.06c89ca8@rbnsn.com> Message-ID: <43287019.9020201@simmons.edu> An HTML attachment was scrubbed... URL: From dmintz at davidmintz.org Wed Sep 14 15:29:19 2005 From: dmintz at davidmintz.org (David Mintz) Date: Wed, 14 Sep 2005 15:29:19 -0400 (EDT) Subject: [nycphp-talk] worm/virus's hammering feedback scripts? POLISHED VERSION In-Reply-To: <7291-49880@sneakemail.com> References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> <6.2.3.4.2.20050912120926.0244d060@mail.optonline.net> <6.2.5.4.2.20050912231541.06c89ca8@rbnsn.com> <7291-49880@sneakemail.com> Message-ID: On Tue, 13 Sep 2005, inforequest wrote: > [....] > Thanks for the enlightening discussion. > > While I agree completely with pro-active judging of input data, there > are cases where users cut-n-paste data into form fields (from Word, for > example) and inadvertently transfer all sorts of garbage (including > CR/LF stuff). How about this: if you are expecting single-line input such as a last name, first trim() it, then test it for embedded CR/LF --- David Mintz http://davidmintz.org/ From lists at zaunere.com Wed Sep 14 21:31:05 2005 From: lists at zaunere.com (Hans Zaunere) Date: Wed, 14 Sep 2005 21:31:05 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts?POLISHED VERSION In-Reply-To: Message-ID: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net> David Mintz scribbled on Wednesday, September 14, 2005 11:20 AM: > On Wed, 14 Sep 2005, Hans Zaunere wrote: > > > > > > So it would seem if you ventured past the parts of the JavaMail > > > API which allow you to use Strings, instead of creating > > > InternetAddress objects and hardcoding the subject, you would be > > > "safe" from the exploit, but you should double check any methods > > > that you are using that expect Strings. > > > > Good point - looks like justification for a wrapper class for the > > mail() function in PHP. > > > > We're working on getting a Phundamentals article online covering the > > discussion over the last couple of days. Thanks Roland and > > everyone for their feedback and discussion. > > And that class would sanitize message headers only, or the body as > well? I am still unclear whether evil stuff in the body can spawn a > completely new message. That class - if it existed :) - would sanitize any user input before entering the mail() function - ie, anything that could get into the header. The basic premise of this exploit is leveraging the MIME and SMTP standards, not PHP. As we've discussed and Dan Krook pointed out, some languages like Java have specific classes that are meant to wrap what is passed into a mail message. This is essentially what a wrapper class in PHP would do. If, however, these classes are not used - and generic strings are used - then it's likely that any web form is vulnerable. The reason for this is how the MIME standard works, and thus how SMTP interprets MIME messages. A basic MIME message is broken into two parts; a header and a body. The header and body are separated by a blank line, ie, \r\n\r\n (although most mail clients will accept UNIX and other line deliminaters, like \n\n or even \n\r\n\r). Another aspect of MIME is multi-part, which is where the fun comes in. This means that messages can be embedded in other messages. This is done by having the top level header declare a boundary, which is then used to process further header/body pairs. If someone is able to inject content into this top level header, they can now essentially control the structure of the entire message. This is done by creating their own boundary, thus defining what's a body and what's a header. The other significant point of weakness that's taken advantage of is the fact that MIME (and sub sequentially really SMTP in this case) can deal with multiple headers of the same name. Meaning, if there is a To: followed by a To: they are interpreted "correctly" (ie, no error is thrown). Putting it all together, this allows an attacker to define additional recipients for a message, not to mention adding Bcc: and Cc: headers (using multiple headers of the same name), and additionally then defining body parts to be sent as the content of the message (by defining a multi-part message). So the upshot: filter/sanitize anything that can get into the top-level header and you're safe - from this exploit anyway. An ingenuous hack really; by combining innocuous - and frankly useful - features of MIME/SMTP, they were able to create a security problem. But then again, isn't that what security is always about? :) --- Hans Zaunere / President / New York PHP www.nyphp.org / www.nyphp.com From mail at billyreisinger.com Wed Sep 14 22:22:25 2005 From: mail at billyreisinger.com (Billy Reisinger) Date: Wed, 14 Sep 2005 22:22:25 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts?POLISHED VERSION In-Reply-To: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net> References: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net> Message-ID: Thanks, Hans - that's a very good explanation that's easy to understand! Cheers, Billy Reisinger > That class - if it existed :) - would sanitize any user input before > entering the mail() function - ie, anything that could get into the > header. > > The basic premise of this exploit is leveraging the MIME and SMTP > standards, > not PHP. As we've discussed and Dan Krook pointed out, some > languages like > Java have specific classes that are meant to wrap what is passed > into a mail > message. This is essentially what a wrapper class in PHP would > do. If, > however, these classes are not used - and generic strings are used > - then > it's likely that any web form is vulnerable. > > The reason for this is how the MIME standard works, and thus how SMTP > interprets MIME messages. A basic MIME message is broken into two > parts; a > header and a body. The header and body are separated by a blank > line, ie, > \r\n\r\n (although most mail clients will accept UNIX and other line > deliminaters, like \n\n or even \n\r\n\r). > > Another aspect of MIME is multi-part, which is where the fun comes > in. This > means that messages can be embedded in other messages. This is > done by > having the top level header declare a boundary, which is then used to > process further header/body pairs. > > If someone is able to inject content into this top level header, > they can > now essentially control the structure of the entire message. This > is done > by creating their own boundary, thus defining what's a body and > what's a > header. > > The other significant point of weakness that's taken advantage of > is the > fact that MIME (and sub sequentially really SMTP in this case) can > deal with > multiple headers of the same name. Meaning, if there is a To: > followed by a > To: they are interpreted "correctly" (ie, no error is thrown). > > Putting it all together, this allows an attacker to define additional > recipients for a message, not to mention adding Bcc: and Cc: > headers (using > multiple headers of the same name), and additionally then defining > body > parts to be sent as the content of the message (by defining a multi- > part > message). > > So the upshot: filter/sanitize anything that can get into the top- > level > header and you're safe - from this exploit anyway. > > An ingenuous hack really; by combining innocuous - and frankly > useful - > features of MIME/SMTP, they were able to create a security > problem. But > then again, isn't that what security is always about? :) > > > --- > Hans Zaunere / President / New York PHP > www.nyphp.org / www.nyphp.com > > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthijsenator at gmail.com Thu Sep 15 02:03:39 2005 From: matthijsenator at gmail.com (matthijs abeelen) Date: Thu, 15 Sep 2005 08:03:39 +0200 Subject: [nycphp-talk] worm/virus's hammering feedback scripts?POLISHED VERSION In-Reply-To: References: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net> Message-ID: This problem is spreading very fast, a good summery of the best solution(s) is needed indeed. Unfortunately, I'm not the one who can do that. Waiting eagerly for the article on Phundamentals! "We're working on getting a Phundamentals article online covering the discussion over the last couple of days. Thanks Roland and everyone for their feedback and discussion." At the moment I'm using the following script:

Error message here.

"); } } } ?> And then after receiving the POST variables I'll do: foreach ($_POST as $formInput) { email_injection_filter($formInput); } Could anyone give some feedback on this particular script? I know there have been given/proposed many filters already. But the sheer amount of them is a bit overwhelming and it seems there's still no consensus on the best solution. Thanks, Matthijs -------------- next part -------------- An HTML attachment was scrubbed... URL: From 1j0lkq002 at sneakemail.com Thu Sep 15 03:48:56 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Thu, 15 Sep 2005 00:48:56 -0700 Subject: [nycphp-talk] AJAX functionality at search.yahoo.com In-Reply-To: References: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net> Message-ID: <26127-23125@sneakemail.com> It's midnight here in the Northwest, so you east-coast coders are probably getting ready to stop working right about now (3 hours ahead of me is 3am, so that's about right :-) You might want to check out search.yahoo.com. Any hour now they are launching an AJAX-like fast-search utility that pops up actual query results Google Suggest style. The thing is, these will be actual RESULTS. If it's good, doe sit mean no more SERPs?? There is alot of buzz starting already.... this should be cool (?) -=john andrews http://www.seo-fun.com From mikko.rantalainen at peda.net Thu Sep 15 05:04:16 2005 From: mikko.rantalainen at peda.net (Mikko Rantalainen) Date: Thu, 15 Sep 2005 12:04:16 +0300 Subject: [nycphp-talk] Filtering input to be appended inside email In-Reply-To: <20050913145831.GA14467@panix.com> References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> <20050912162018.GA22938@panix.com> <6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net> <20050912183529.GA1332@panix.com> <4326DFE6.6@peda.net> <20050913145831.GA14467@panix.com> Message-ID: <43293910.40102@peda.net> Daniel Convissor wrote: > Hey Mikko: > On Tue, Sep 13, 2005 at 05:19:18PM +0300, Mikko Rantalainen wrote: > >> # header cannot contain CRLF >> # our implementation strips out CRs, make sure all LFs >> # are safe and reinserts CRs >> $value = preg_replace("@\r@","",trim($value)); >> $value = preg_replace("@\n@","\n ",$value); >> $value = preg_replace("@\n@","\r\n",$value); > > That can be done in one call (untested): > $value = preg_replace("/[\r\n]+/", "\r\n ", trim($value)); Yeah, that can be done in one call, but let's include the 'g' so that we are safe even if the input includes multiple lines of text. Also, allow multiple linefeeds to follow each other without discarding information (if input has "\r\n\r\n\r\n" then output should have "\r\n \r\n \r\n"). Let's try again: $value = preg_replace("#\r*\n#g", "\r\n ", trim($value)); Note that this version still allows invalid input such as "word1\rword2". Even if you decide to use the original version with three preg_replace()s, add the missing 'g's after second @. > I see the point of this is putting a space at the beginning of the line so > the input doesn't get interpreted as a new header line. But in my > opinion, when user input is involved, allowing \r or \n isn't wise in the > first place. See the RFC 2822. Including line feeds is okay as long as the next line starts with a space. I'm always trying to make the most generic function that's still safe without discarding any information that I can still keep (in this case, LFs). -- Mikko From hans at cyberxdesigns.com Thu Sep 15 07:12:48 2005 From: hans at cyberxdesigns.com (Hans C. Kaspersetz) Date: Thu, 15 Sep 2005 07:12:48 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts?POLISHED VERSION In-Reply-To: References: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net> Message-ID: <43295730.3090705@cyberxdesigns.com> This might be a silly question, but with this solution are you still vulnerable if the hack comes in another character encoding? HCK matthijs abeelen wrote: >This problem is spreading very fast, a good summery of the best solution(s) >is needed indeed. Unfortunately, I'm not the one who can do that. Waiting >eagerly for the article on Phundamentals! > >"We're working on getting a Phundamentals article online covering the >discussion over the last couple of days. Thanks Roland and everyone for >their feedback and discussion." > > >At the moment I'm using the following script: >// http://www.codingforums.com/showthread.php?t=67546 > >function email_injection_filter($formInput) >{ >$injectionStrings = array("apparently-to", >"bcc", >"boundary=", >"charset", >"content-disposition", >"content-type", >"content-transfer-encoding", >"errors-to", >"in-reply-to", >"message-id", >"mime-version", >"multipart/mixed", >"multipart/alternative", >"multipart/related", >"reply-to", >"x-mailer", >"x-sender", >"x-uidl" >); >foreach ($injectionStrings as $spam) >{ >$pos = strpos(strtolower($formInput), $spam); >if ($pos !== false) >{ >error_log("Email injection attempt - From IP: " . $_SERVER['REMOTE_ADDR'] . >" | Server Time: " . date('m\/d\/y, h:i:s A'), 1, "mymail at domain.com"); > >exit("

Error message here.

"); > >} >} >} >?> > >And then after receiving the POST variables I'll do: >foreach ($_POST as $formInput) >{ >email_injection_filter($formInput); >} > >Could anyone give some feedback on this particular script? I know there have >been given/proposed many filters already. But the sheer amount of them is a >bit overwhelming and it seems there's still no consensus on the best >solution. > >Thanks, >Matthijs > > > >------------------------------------------------------------------------ > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > From mwithington at PLMresearch.com Thu Sep 15 08:35:30 2005 From: mwithington at PLMresearch.com (Mark Withington) Date: Thu, 15 Sep 2005 08:35:30 -0400 Subject: [nycphp-talk] Mantis/Subversion integration Message-ID: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF2886@network.PLMresearch.com> Perhaps slightly OT: I'm running Subversion locally and Mantis bug tracker on my web server. The process of integration requires Subversion to call a batch script (.bat on my Windoz box) that will in turn run a Mantis PHP script. I'm planning to do this via telnet (as the Mantis script - correctly - will not allow this particular PHP script to be run via the server). Soooooo..... Any DOS wizards out there that might be able to help me write the shell/bat script? I know how to do it if both Subversion and Mantis were both on the same box, just unsure how to do it on different boxes (one local, one remote). ALSO, if I'm off-base with my Telnet approach I would appreciate ideas there also... Thanks, Mark -------------------------- Mark L. Withington PLMresearch "eBusiness for the Midsize Enterprise" PO Box 1354 Plymouth, MA 02362 o: 800-310-3992 ext. 704 f: 508-746-4973 v: 508-746-2383 m: 508-801-0181 http://www.PLMresearch.com Netscape/AOL/MSN IM: PLMresearch mwithington at plmresearch.com Public Key: http://www.plmresearch.com/keys/MLW_public_key.asc Calendar: http://www.plmresearch.com/calendar.php From danielc at analysisandsolutions.com Thu Sep 15 08:42:34 2005 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Thu, 15 Sep 2005 08:42:34 -0400 Subject: [nycphp-talk] Filtering input to be appended inside email In-Reply-To: <43293910.40102@peda.net> References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> <20050912162018.GA22938@panix.com> <6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net> <20050912183529.GA1332@panix.com> <4326DFE6.6@peda.net> <20050913145831.GA14467@panix.com> <43293910.40102@peda.net> Message-ID: <20050915124234.GA29328@panix.com> On Thu, Sep 15, 2005 at 12:04:16PM +0300, Mikko Rantalainen wrote: > Daniel Convissor wrote: > > > > $value = preg_replace("/[\r\n]+/", "\r\n ", trim($value)); > > Yeah, that can be done in one call, but let's include the 'g' so > that we are safe even if the input includes multiple lines of text. A few things. "g" isn't an official pattern modifier (aka "Internal option letter") (http://www.php.net/manual/en/reference.pcre.pattern.syntax.php). Perhaps you mean for it to be greedy, but PHP's preg is greedy by default. The "U" modifier makes things un-greedy. The pattern I presented replaces any \r, \n or combination thereof in any order and of any length. So, since those ARE the characters that define line breaks, there's no need for the multi-line modifier, "m". > $value = preg_replace("#\r*\n#g", "\r\n ", trim($value)); That pattern isn't 100% effective. For example, you won't catch a plain \r on it's own. OH, I see below that's your intention... > Note that this version still allows invalid input such as > "word1\rword2". While that may be allowed, I wouldn't trust that _at_ _all_. Most mail programs are forgiving and might consider "word2" a header. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From lists at zaunere.com Thu Sep 15 09:01:22 2005 From: lists at zaunere.com (Hans Zaunere) Date: Thu, 15 Sep 2005 09:01:22 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts?POLISHED VERSION In-Reply-To: <43295730.3090705@cyberxdesigns.com> Message-ID: <0MKp2t-1EFtMi2l92-0003co@mrelay.perfora.net> Hans C. Kaspersetz scribbled on Thursday, September 15, 2005 7:13 AM: > This might be a silly question, but with this solution are you still > vulnerable if the hack comes in another character encoding? That's a good question. I believe that headers are expected to be in US-ASCII. While that's how it was in the original spec, there may be addendum specs that I'm not aware of (I don't read RFCs for a living anymore :) Most MTAs will likely break with non-ASCII headers anyway, even if it's allowed in some RFC. Again, there are likely fringe cases, but most who use sendmail/postfix/your-mta-hear are probably immune. --- Hans Zaunere / President / New York PHP www.nyphp.org / www.nyphp.com From rrust at r2communications.com Thu Sep 15 08:58:15 2005 From: rrust at r2communications.com (Randal Rust) Date: Thu, 15 Sep 2005 07:58:15 -0500 Subject: [nycphp-talk] Convert Word to PDF online with PHP Message-ID: <1126789095.43296fe73fc86@webmail.r2communications.com> I have a client who would like to upload Word files to the site and have them converted to PDF on the fly. I'm not really turning up anything via Google that seems to fit the bill. Any thoughts? I told them to just buy Click To Convert for $90 USD and be done with it, but they insist... Randal Rust ----------------------------- R.Squared Communications Digital Design for Bricks-and-Mortar Business www.r2communications.com From mikko.rantalainen at peda.net Thu Sep 15 10:10:22 2005 From: mikko.rantalainen at peda.net (Mikko Rantalainen) Date: Thu, 15 Sep 2005 17:10:22 +0300 Subject: [nycphp-talk] Filtering input to be appended inside email In-Reply-To: <20050915124234.GA29328@panix.com> References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net> <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> <20050912162018.GA22938@panix.com> <6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net> <20050912183529.GA1332@panix.com> <4326DFE6.6@peda.net> <20050913145831.GA14467@panix.com> <43293910.40102@peda.net> <20050915124234.GA29328@panix.com> Message-ID: <432980CE.8040208@peda.net> Daniel Convissor wrote: > On Thu, Sep 15, 2005 at 12:04:16PM +0300, Mikko Rantalainen wrote: > >>Daniel Convissor wrote: >> >>> $value = preg_replace("/[\r\n]+/", "\r\n ", trim($value)); >> >>Yeah, that can be done in one call, but let's include the 'g' so >>that we are safe even if the input includes multiple lines of text. > > "g" isn't an official pattern modifier (aka "Internal option letter") > (http://www.php.net/manual/en/reference.pcre.pattern.syntax.php). > Perhaps you mean for it to be greedy, but PHP's preg is greedy by default. > The "U" modifier makes things un-greedy. Yes, you're right, of course. I hate when they make it look like Perl but don't actually copy the behavior. In Perl, the 'g' option makes replacement pattern to replace *all* matches - by default Perl regexes only replace the first occurrence. > The pattern I presented replaces any \r, \n or combination thereof in any > order and of any length. So, since those ARE the characters that define > line breaks, there's no need for the multi-line modifier, "m". As I wrote: >> if input has "\r\n\r\n\r\n" then output should have "\r\n \r\n \r\n" Your pattern replaces the above input with exactly one CRLF pair. If you just want to discard all line feeds, then it's fine to use that pattern and use space " " as a replacement. However, as I wanted to keep as much information as possible, I'm trying to keep all the three line feeds in the output so I cannot just match a sequence of "\r" and "\n" characters. A correct implementation following the RFC would also make sure that no line exceeds 1000 characters and it *should* wrap lines at maximum of 78 characters. -- Mikko From nestorflorez at earthlink.net Thu Sep 15 12:28:08 2005 From: nestorflorez at earthlink.net (Nestor Florez) Date: Thu, 15 Sep 2005 09:28:08 -0700 (GMT-07:00) Subject: [nycphp-talk] Convert Word to PDF online with PHP Message-ID: <23797934.1126801688892.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> OpenOffice will convert the word document to PDF Nestor :-) -----Original Message----- From: Randal Rust Sent: Sep 15, 2005 5:58 AM To: NYPHP Talk Subject: [nycphp-talk] Convert Word to PDF online with PHP I have a client who would like to upload Word files to the site and have them converted to PDF on the fly. I'm not really turning up anything via Google that seems to fit the bill. Any thoughts? I told them to just buy Click To Convert for $90 USD and be done with it, but they insist... Randal Rust ----------------------------- R.Squared Communications Digital Design for Bricks-and-Mortar Business www.r2communications.com _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From matt at jobsforge.com Thu Sep 15 12:55:18 2005 From: matt at jobsforge.com (Matthew Terenzio) Date: Thu, 15 Sep 2005 12:55:18 -0400 Subject: [nycphp-talk] AJAX functionality at search.yahoo.com In-Reply-To: <26127-23125@sneakemail.com> References: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net> <26127-23125@sneakemail.com> Message-ID: <5cc639d1b3e887305dea439a9649489f@jobsforge.com> On Sep 15, 2005, at 3:48 AM, inforequest wrote: > The thing is, these will be actual > RESULTS. If it's good, doe sit mean no more SERPs?? Could you explain what you mean? I ought to have a look at it and maybe it will be clearer. From greg.rundlett at gmail.com Thu Sep 15 15:51:10 2005 From: greg.rundlett at gmail.com (Greg Rundlett) Date: Thu, 15 Sep 2005 15:51:10 -0400 Subject: [nycphp-talk] Mantis/Subversion integration In-Reply-To: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF2886@network.PLMresearch.com> References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF2886@network.PLMresearch.com> Message-ID: <5e2aaca4050915125160559d52@mail.gmail.com> quick and easy *function* openUrl($url) { *// Fake the browser type* *// ini_set('user_agent','MSIE 4\.0b2;');* $handle = fopen($url, "rb"); $contents = ''; if($handle) { while (!feof($handle)) { $contents .= fread($handle, 8192); } fclose($handle); } else { $contents = 'Error opening $url' . $url; } return $contents; } print $contents = openUrl('http://www.google.com'); -------------- next part -------------- An HTML attachment was scrubbed... URL: From greg.rundlett at gmail.com Thu Sep 15 15:53:07 2005 From: greg.rundlett at gmail.com (Greg Rundlett) Date: Thu, 15 Sep 2005 15:53:07 -0400 Subject: [nycphp-talk] Mantis/Subversion integration In-Reply-To: <5e2aaca4050915125160559d52@mail.gmail.com> References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF2886@network.PLMresearch.com> <5e2aaca4050915125160559d52@mail.gmail.com> Message-ID: <5e2aaca4050915125358a7ccd5@mail.gmail.com> On 9/15/05, Greg Rundlett wrote: > > quick and easy > > *function* openUrl($url) { > *// Fake the browser type* > *// ini_set('user_agent','MSIE 4\.0b2;');* > $handle = fopen($url > , "rb"); > $contents = ''; > if($handle) { > while (!feof( > $handle)) { > $contents .= fread($handle > , 8192); > } > fclose($handle); > } > else { > $contents = 'Error opening $url' . $url > ; > } > return $contents; > } > > > > print $contents = openUrl('http://www.google.com') > ; > > and run that from the bat as php.exe -f myUrlGetter.php url= http://www.foo.com of course then you'd perhaps want to add in Console/GetOpt.php (from PEAR) to parse the command-line args -------------- next part -------------- An HTML attachment was scrubbed... URL: From mwithington at PLMresearch.com Thu Sep 15 16:05:15 2005 From: mwithington at PLMresearch.com (Mark Withington) Date: Thu, 15 Sep 2005 16:05:15 -0400 Subject: [nycphp-talk] Mantis/Subversion integration Message-ID: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF2897@network.PLMresearch.com> To paraphrase Homer Simpson, "Doh!" PHP's CLI, brilliant. Thanks Greg. -------------------------- Mark L. Withington PLMresearch v: 508-746-2383 m: 508-801-0181 Calendar: http://www.plmresearch.com/calendar.php -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Greg Rundlett Sent: Thursday, September 15, 2005 3:53 PM To: NYPHP Talk Subject: Re: [nycphp-talk] Mantis/Subversion integration On 9/15/05, Greg Rundlett > wrote: quick and easy function openUrl($url) { // Fake the browser type // ini_set('user_agent','MSIE 4\.0b2;'); $handle = fopen($url , "rb" ); $contents = ''; if ($handle) { while (!feof( $handle)) { $contents .= fread($handle , 8192); } fclose( $handle); } else { $contents = 'Error opening $url' . $url ; } return $contents; } print $contents = openUrl('http://www.google.com') ; and run that from the bat as php.exe -f myUrlGetter.php url=http://www.foo.com of course then you'd perhaps want to add in Console/GetOpt.php (from PEAR) to parse the command-line args -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfontaine at spidmail.net Thu Sep 15 16:30:15 2005 From: cfontaine at spidmail.net (Cedric Fontaine) Date: Thu, 15 Sep 2005 16:30:15 -0400 Subject: [nycphp-talk] zencart help list Message-ID: <4329D9D7.2080508@spidmail.net> Hello, I have a problem with zencart not redirecting from main_page=checkout_process to main_page=checkout_success I get a blank page on checkout_process and I don't know why. cache/ dir is empty no mod_gzip activated And I try to find the problem and it seems that Header("Location...) is not sent or not interpreted... You guys, are you using it ? Is there any mailing list resources ? Thanks Cedric From 1j0lkq002 at sneakemail.com Thu Sep 15 17:31:03 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Thu, 15 Sep 2005 14:31:03 -0700 Subject: [nycphp-talk] AJAX functionality at search.yahoo.com In-Reply-To: <5cc639d1b3e887305dea439a9649489f@jobsforge.com> References: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net> <26127-23125@sneakemail.com> <5cc639d1b3e887305dea439a9649489f@jobsforge.com> Message-ID: <30346-14369@sneakemail.com> Matthew Terenzio matt-at-jobsforge.com |nyphp dev/internal group use| wrote: >On Sep 15, 2005, at 3:48 AM, inforequest wrote: > > > >>The thing is, these will be actual >>RESULTS. If it's good, doe sit mean no more SERPs?? >> >> > >Could you explain what you mean? I ought to have a look at it and >maybe it will be clearer. > > Yes. That was based on rumor.... so naturally it was a bit off. The service did launch as beta but it's here http://instant.search.yahoo.com/ -=john andrews http://www.seo-fun.com when Dreamhost isn't down From rsa at barrett.com.au Thu Sep 15 19:44:35 2005 From: rsa at barrett.com.au (Russell Aronson) Date: Fri, 16 Sep 2005 09:44:35 +1000 Subject: [nycphp-talk] PHP segmentation fault with custom-compiled binaries -Zen Cart Message-ID: <432A0763.9090300@barrett.com.au> I had the same problem about a week ago. i could connect to the mysql server through php but when i pulled data, the apache process would segfault. I had also compiled the php5 and mysql 4.1.12 packages from source. i took a look at phpinfo from within a browser and also from the command line. i realized that the mysql client api version was 3.23 (which was different to the mysql server version i was running) in the browser but not on the command line. i had both 3.23 and 4.1 mysql client libraries installed because perl-DBI and mod_auth_mysql required the older version... The problem is something like this. mod_auth_mysql loaded the mysqlclient10-3.23 libraries into the apache process which overwrote the other mysql client libraries that php loaded. when php uses a mysql function, it goes through a module compiled for mysql 4.1 libraries, but in this case, it links to a library compiled for mysql 3.23 because of mod_auth_mysql. To fix the problem, just remove any apache module that uses the mysqlclient10-3.23 libraries, ie. mod_auth_mysql. -- Russell Aronson, Web Development & System Administration Barrett Consulting Group Pty Ltd Phone: +61 3 9532 7677, Fax: +61 3 9532 7388 http://www.barrett.com.au From matt at jobsforge.com Thu Sep 15 20:44:24 2005 From: matt at jobsforge.com (Matthew Terenzio) Date: Thu, 15 Sep 2005 20:44:24 -0400 Subject: [nycphp-talk] AJAX functionality at search.yahoo.com In-Reply-To: <30346-14369@sneakemail.com> References: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net> <26127-23125@sneakemail.com> <5cc639d1b3e887305dea439a9649489f@jobsforge.com> <30346-14369@sneakemail.com> Message-ID: On Sep 15, 2005, at 5:31 PM, inforequest wrote: > Yes. That was based on rumor.... so naturally it was a bit off. The > service did launch as beta but it's here > http://instant.search.yahoo.com/ > Yes, but what did you mean by the end of SERPs. Why? From lists at zaunere.com Thu Sep 15 21:01:54 2005 From: lists at zaunere.com (Hans Zaunere) Date: Thu, 15 Sep 2005 21:01:54 -0400 Subject: [nycphp-talk] AJAX functionality at search.yahoo.com In-Reply-To: <30346-14369@sneakemail.com> Message-ID: <0MKp2t-1EG4bx2zWw-0005QT@mrelay.perfora.net> inforequest wrote on Thursday, September 15, 2005 5:31 PM: > Matthew Terenzio matt-at-jobsforge.com |nyphp dev/internal group use| > wrote: > > > On Sep 15, 2005, at 3:48 AM, inforequest wrote: > > > > > > > > > The thing is, these will be actual > > > RESULTS. If it's good, doe sit mean no more SERPs?? > > > > > > > > > > Could you explain what you mean? I ought to have a look at it and > > maybe it will be clearer. > > > > > Yes. That was based on rumor.... so naturally it was a bit off. The > service did launch as beta but it's here > http://instant.search.yahoo.com/ I've gone back to Yahoo! and changed my default search engine to it, but I must admit the above is quite unimpressive :) H From lists at zaunere.com Thu Sep 15 21:04:48 2005 From: lists at zaunere.com (Hans Zaunere) Date: Thu, 15 Sep 2005 21:04:48 -0400 Subject: [nycphp-talk] zencart help list In-Reply-To: <4329D9D7.2080508@spidmail.net> Message-ID: <0MKp2t-1EG4el0ksf-0005n4@mrelay.perfora.net> Cedric Fontaine wrote on Thursday, September 15, 2005 4:30 PM: > Hello, > > I have a problem with zencart not redirecting from > main_page=checkout_process to main_page=checkout_success > > I get a blank page on checkout_process and I don't know why. > > cache/ dir is empty > no mod_gzip activated > > And I try to find the problem and it seems that Header("Location...) > is not sent or not interpreted... Not specific to Zen Cart, but just double check that there's no output before the header() call. Any output - even a new line - will of course cause header() to fail. H From papillion at gmail.com Thu Sep 15 21:31:40 2005 From: papillion at gmail.com (Anthony Papillion) Date: Thu, 15 Sep 2005 20:31:40 -0500 Subject: [nycphp-talk] Zend Certification Message-ID: <5458518f0509151831af53b9b@mail.gmail.com> Hello Everyone, I'm sure this has already been discussed on the list before but I was wanting some updated perspective about Zend Certification. I'm a serious, professional PHP developer who's competing for jobs with people who "picked up scripting and have done a few sites in their spare time". I'm wanting to find something that can immediately differentiate myself and my skill set from those people without the client or employer having to setup an interview and review sample code, etc. I think a Zend cert might help do that. My question is this: how seriously is the certification taken by employers and clients? Does it really set a developer apart or is it like the old MCSE cert was a few years ago? Thanks! -- Anthony Papillion Phone: (918) 926-0139 ICQ: 96-698-595 CAN ONE VOICE CHANGE THE WORLD? http://www.one.org From woodwort at agritec.net Thu Sep 15 21:57:56 2005 From: woodwort at agritec.net (woodwort) Date: Thu, 15 Sep 2005 18:57:56 -0700 Subject: [nycphp-talk] cake In-Reply-To: References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net> <43259BC2.4050604@omnistep.com> <6.2.3.4.2.20050912120926.0244d060@mail.optonline.net> <6.2.5.4.2.20050912231541.06c89ca8@rbnsn.com> Message-ID: <432A26A4.7060003@agritec.net> I am not sure if anyone has heard of cake, but its pretty nice and growing fast. Inspired by rails. http://www.cakephp.org From chendry at gmail.com Thu Sep 15 23:15:37 2005 From: chendry at gmail.com (Christopher Hendry) Date: Thu, 15 Sep 2005 23:15:37 -0400 Subject: [nycphp-talk] AJAX functionality at search.yahoo.com In-Reply-To: <0MKp2t-1EG4bx2zWw-0005QT@mrelay.perfora.net> References: <30346-14369@sneakemail.com> <0MKp2t-1EG4bx2zWw-0005QT@mrelay.perfora.net> Message-ID: <769e4ce050915201526532c4d@mail.gmail.com> Seems that Ajax is creating a lot of hype - just as all new 'technologies' do. http://www.nytimes.com/2005/09/12/technology/12ecom.html What's most impressive about all this is that Javascript seems to finally be stabilizing. C On 9/15/05, Hans Zaunere wrote: > > > > inforequest wrote on Thursday, September 15, 2005 5:31 PM: > > Matthew Terenzio matt-at-jobsforge.com |nyphp dev/internal group use| > > wrote: > > > > > On Sep 15, 2005, at 3:48 AM, inforequest wrote: > > > > > > > > > > > > > The thing is, these will be actual > > > > RESULTS. If it's good, doe sit mean no more SERPs?? > > > > > > > > > > > > > > Could you explain what you mean? I ought to have a look at it and > > > maybe it will be clearer. > > > > > > > > Yes. That was based on rumor.... so naturally it was a bit off. The > > service did launch as beta but it's here > > http://instant.search.yahoo.com/ > > I've gone back to Yahoo! and changed my default search engine to it, but I > must admit the above is quite unimpressive :) > > H > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- "When you do things right, people won't be sure you've done anything at all." -------------- next part -------------- An HTML attachment was scrubbed... URL: From joeymarshall at ml1.net Fri Sep 16 00:01:06 2005 From: joeymarshall at ml1.net (Joey Marshall) Date: Thu, 15 Sep 2005 21:01:06 -0700 Subject: [nycphp-talk] Paypal IPN with php Message-ID: <1126843266.26501.243046269@webmail.messagingengine.com> hi, I'v been coding some software for a company and they want to integrate paypal's subscriptions with IPN. Iv'e read PayPal's manuel for it and looked around for examples but I still havn't figured out how to use it. Basicly, in my sql table for users I have one field named 'active', which I want turned on or off depending on the state of the users subscription. And I want new subscriptions that come in to create a new user. Is there any code out there that can do that thats easy to integrate? I think I understand the basic consept of IPN, I just need some code that can do what I mentioned in the above paragraph. Any help would be great! Thanks! Joey Marshall -- http://www.fastmail.fm - A fast, anti-spam email service. From 1j0lkq002 at sneakemail.com Fri Sep 16 00:14:20 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Thu, 15 Sep 2005 21:14:20 -0700 Subject: [nycphp-talk] AJAX functionality at search.yahoo.com In-Reply-To: <769e4ce050915201526532c4d@mail.gmail.com> References: <30346-14369@sneakemail.com> <0MKp2t-1EG4bx2zWw-0005QT@mrelay.perfora.net> <769e4ce050915201526532c4d@mail.gmail.com> Message-ID: <32586-22956@sneakemail.com> Christopher Hendry chendry-at-gmail.com |nyphp dev/internal group use| wrote: > Seems that Ajax is creating a lot of hype - just as all new > 'technologies' do. > > http://www.nytimes.com/2005/09/12/technology/12ecom.html > > What's most impressive about all this is that Javascript seems to > finally be stabilizing. > > C Or perhaps a commitment to JS is evident. JS is still disabled frequently, and the next spyware/virus incident still threatens to shut it down as always. I don't see us any further along the DHTML/Flash decision tree yet, but people simply can't wait any longer (?) Did you notice that the Gap site uses pop-ups that get past FF's pop-up blocker? I also note an increasing number of sites that break in FF. In other words, perhaps the risk is just being managed less tightly (for lack of any other options). -=john andrews http://www.seo-fun.com From 1j0lkq002 at sneakemail.com Fri Sep 16 00:28:51 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Thu, 15 Sep 2005 21:28:51 -0700 Subject: [nycphp-talk] AJAX functionality at search.yahoo.com In-Reply-To: References: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net> <26127-23125@sneakemail.com> <5cc639d1b3e887305dea439a9649489f@jobsforge.com> <30346-14369@sneakemail.com> Message-ID: <8242-67455@sneakemail.com> Matthew Terenzio matt-at-jobsforge.com |nyphp dev/internal group use| wrote: >On Sep 15, 2005, at 5:31 PM, inforequest wrote: > > > >Yes, but what did you mean by the end of SERPs. Why? > > This is called a beta of Yahoo! "instant search". It seems to be an equivalent of Google's "I feel lucky" only it claims to give you the TOP RESULT (the #1 SERP position's website) instead of whatever "I feel lucky" promises. Yahoo! boldly suggests that the #1 result is "what you probably want anyway". Last report I saw, "I feel lucky" was not very popular. I am guessing most people don't even know what's behind that button. But if this "just show me me the #1 answer so I can say yes/no" becomes popular, two things come true immediately: 1. It REALLY pays to win the #1 spot in your category. Practically an all-or-nothing game to be in Yahoo! (so to the extent that people utilize Instant Search, the SERPs are meaningless. Only #1 matters) 2. Yahoo! eliminates alot of their SERPs "quality issues" by hiding them under the carpet. As long as the #1 spot is good, everyone thinks Yahoo! works great (even if #2 thru 10 are spam sites). Since it is widely known that Yahoo! hand edits certain categories to "manage" the top spots, they are thus able to eliminate a HUGE part of their algorithmic burden via Instant Search. Not much of a search engine, eh? More like a directory. And think about the "paid inclusion" possibilities... what could they get for the top spot then? The AJAX stuff is just part of the interface (eliminates the submit and allows "suggestion".. a powerful marketing concept). -=john andrews http://www.seo-fun.com when Dreamhost isn't down From hendler at simmons.edu Fri Sep 16 01:02:09 2005 From: hendler at simmons.edu (Jonathan) Date: Fri, 16 Sep 2005 01:02:09 -0400 Subject: [nycphp-talk] Zend Certification In-Reply-To: <5458518f0509151831af53b9b@mail.gmail.com> References: <5458518f0509151831af53b9b@mail.gmail.com> Message-ID: <432A51D1.7070305@simmons.edu> As you might have seen in previous posts, I took the test a few days ago. I would like several levels of certification - but the existing test was well written and does establish a standard baseline. My bet is that most employers, unless they are a real PHP house, haven't heard of Zend certification, or even Zend itself. So it'd be up to you to explain the merits of your certification to them. I think it could help. Anthony Papillion wrote: >Hello Everyone, > >I'm sure this has already been discussed on the list before but I was >wanting some updated perspective about Zend Certification. > >I'm a serious, professional PHP developer who's competing for jobs >with people who "picked up scripting and have done a few sites in >their spare time". I'm wanting to find something that can immediately >differentiate myself and my skill set from those people without the >client or employer having to setup an interview and review sample >code, etc. I think a Zend cert might help do that. > >My question is this: how seriously is the certification taken by >employers and clients? Does it really set a developer apart or is it >like the old MCSE cert was a few years ago? > >Thanks! > > From mikko.rantalainen at peda.net Fri Sep 16 04:07:36 2005 From: mikko.rantalainen at peda.net (Mikko Rantalainen) Date: Fri, 16 Sep 2005 11:07:36 +0300 Subject: [nycphp-talk] AJAX functionality at instant.search.yahoo.com In-Reply-To: <30346-14369@sneakemail.com> References: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net> <26127-23125@sneakemail.com> <5cc639d1b3e887305dea439a9649489f@jobsforge.com> <30346-14369@sneakemail.com> Message-ID: <432A7D48.3020500@peda.net> inforequest wrote: > Matthew Terenzio matt-at-jobsforge.com |nyphp dev/internal group use| > wrote: > > [...] > service did launch as beta but it's here http://instant.search.yahoo.com/ Am I equally unimpressed as everybody else? I tried to type 10-20 different things I would try to search for and there was no "instant results" for any of them. Even the most common ones like "linux" gave me nothing. Now, compare this to Google suggest beta at http://www.google.com/webhp?complete=1 - granted, this doesn't provide the *result* but it does give me much more information otherwise. For example, if I input "linux" here, google suggest (almost instantly) provides a list that looks like this: linux 222 000 000 results linux commands 5 240 000 results linux download 21 500 000 results linux games 14 900 000 results ... So instead of not providing me anything, Google suggest tells me that "linux" isn't that good a search word because it matches 222 million documents. However, it also suggests me a collection of additional keywords that I might be interested in. The bottom line is, using AJAX isn't interesting itself, it's what kind of information you can provide with it. If yahoo's "first hit instantly" method gets popular, it takes about 5 minutes for google to implement the same thing. They already have google suggests so they just need to add a feature to display the first result in addition to list they provide and they have a better service. -- Mikko From cfontaine at spidmail.net Fri Sep 16 08:06:48 2005 From: cfontaine at spidmail.net (Cedric Fontaine) Date: Fri, 16 Sep 2005 08:06:48 -0400 Subject: [nycphp-talk] zencart help list In-Reply-To: <0MKp2t-1EG4el0ksf-0005n4@mrelay.perfora.net> References: <0MKp2t-1EG4el0ksf-0005n4@mrelay.perfora.net> Message-ID: <432AB558.9020108@spidmail.net> Hans Zaunere wrote: > > Cedric Fontaine wrote on Thursday, September 15, 2005 4:30 PM: > >>Hello, >> >>I have a problem with zencart not redirecting from >>main_page=checkout_process to main_page=checkout_success >> >>I get a blank page on checkout_process and I don't know why. In fact sysadmin set php to display_errors no and no logging. So I set errors to log and found that you were right there was output before redirect Cedric From codebowl at gmail.com Fri Sep 16 08:59:57 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Fri, 16 Sep 2005 08:59:57 -0400 Subject: [nycphp-talk] PHP / Word 2003 COM Message-ID: <8d9a428005091605591e654e81@mail.gmail.com> Hello Everyone, I had been trying to figure out a way to use MySQL with Word 2003 as my data source for my mail merge. I FINALLY figured out how to do this but in the meantime i stumbled accross an article that showed how to use Word's COM object to automate the mail merge from within an intranet. I thought this may be usefull to others out there so i thought i would pass it to the list. Also though i have been trying to find the docs for the COM object so that i can figure out what format the header/data source are supposed to be in so that i can make use of this information. I have been to google and MSDN and spent about an hour on each trying to find these docs, do they not exist lol. Anyone that can point me in the proper direction? MySQL Mail Merge http://torque.oncloud8.com/archives/000160.html PHP & Word Com Integration http://www.zend.com/tips/tips.php?id=262&single=1 Any help would be appreciated. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From chucksmith at fun-electronics.com Fri Sep 16 09:52:47 2005 From: chucksmith at fun-electronics.com (chucksmith at fun-electronics.com) Date: Fri, 16 Sep 2005 09:52:47 -0400 Subject: [nycphp-talk] Paypal IPN with php In-Reply-To: References: Message-ID: <1126878767.432ace2f68b18@webmail.fun-electronics.com> > hi, > I'v been coding some software for a company and they want to integrate > paypal's subscriptions with IPN. Iv'e read PayPal's manuel for it and > looked around for examples but I still havn't figured out how to use it. > Basicly, in my sql table for users I have one field named 'active', > which I want turned on or off depending on the state of the users > subscription. And I want new subscriptions that come in to create a new > user. > Is there any code out there that can do that thats easy to integrate? I > think I understand the basic consept of IPN, I just need some code that > can do what I mentioned in the above paragraph. I found Paypal's own IPN code to be very confusing. I downloaded the following class and it worked great for me: http://www.micahcarrick.com/v2/content/view/1/3/ Good luck, Chuck ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From jay_nyphp at fastmail.fm Fri Sep 16 10:21:04 2005 From: jay_nyphp at fastmail.fm (Jayesh Sheth) Date: Fri, 16 Sep 2005 10:21:04 -0400 Subject: [nycphp-talk] Code cleanliness vs. code popularity Message-ID: <1126880464.15372.243077064@webmail.messagingengine.com> Hello all, I was recently reading through the phpBB source code, and had some observations to shares. In most of the pages / script files I looked through, there were 1000 - 2000 lines of PHP code, with no functions or comments. While the code itself is strictly procedural, it is also to the point, and not indecipherable. Still, some interesting questions came to me: how can one of the most popular PHP applications be written in eighties-style procedural code? Or, to rephrase it: are object-oriented design, (fancy) frameworks not useful in practice? How many of you have worked with commercial, open source or in-house frameworks? Have you found these frameworks to be useful in the long run, or do they just get in the way? I have long been a fan of PEAR (and other external / third-party) libraries. I much prefer to save myself work, when I do not have to reinvent the wheel. Still, in many companies, people prefer to write everything from scratch, often wrapped up in laborious frameworks. In your collective experience, what's the best policy for code development? In other words: bang it out, test it, ship it, receive feedback, fix it, and then back to the beginning again, or: huge design upfront, OO or functionized code,UML diagrams, and the 'f' word: a framework. I personally cannot write strictly procedural code any more, and I prefer a mix of functionized and OO code. Still, real world applications - popular real world applications, often totally avoid this approach. So, what gives? - Jay From hendler at simmons.edu Fri Sep 16 10:35:40 2005 From: hendler at simmons.edu (Jonathan) Date: Fri, 16 Sep 2005 10:35:40 -0400 Subject: [nycphp-talk] Code cleanliness vs. code popularity In-Reply-To: <1126880464.15372.243077064@webmail.messagingengine.com> References: <1126880464.15372.243077064@webmail.messagingengine.com> Message-ID: <432AD83C.10701@simmons.edu> I think you are bringing up some good points. For example, at one of my previous jobs I had written a lot of objects with functions that operated on $this keywords. Many of the functions "needed" to be accessed in a static way like Class :: function(); and $this doesn't cut it. So I had to rewrite them. Instantiating classes in PHP used to be slow. Where OOP can shine is when you think in terms of Business Objects and Business Logic. And a lot of non-programmers , who pay your salary, do. Flowcharts, forms, datasets all can be mapped easily to components that can be serialized and reused. Not only that, it's easier to abstract these terms to the point where there is code generation. PHP might have some cool procedures, but they are likely difficult to reuse with a simple include() statement. That being said, sometimes OOP is just a way to give a set of functions a namespace. I mix functional and OOP programming depending on context, and I try to be careful when I use OOP not to require instatiation on helper or utility functions. Jayesh Sheth wrote: >Hello all, > >I was recently reading through the phpBB source code, and had some >observations to shares. In most of the pages / script files I looked >through, there were 1000 - 2000 lines of PHP code, with no functions or >comments. While the code itself is strictly procedural, it is also to >the point, and not indecipherable. > >Still, some interesting questions came to me: how can one of the most >popular PHP applications be written in eighties-style procedural code? >Or, to rephrase it: are object-oriented design, (fancy) frameworks not >useful in practice? How many of you have worked with commercial, open >source or in-house frameworks? Have you found these frameworks to be >useful in the long run, or do they just get in the way? > >I have long been a fan of PEAR (and other external / third-party) >libraries. I much prefer to save myself work, when I do not have to >reinvent the wheel. Still, in many companies, people prefer to write >everything from scratch, often wrapped up in laborious frameworks. In >your collective experience, what's the best policy for code development? >In other words: bang it out, test it, ship it, receive feedback, fix it, >and then back to the beginning again, or: huge design upfront, OO or >functionized code,UML diagrams, and the 'f' word: a framework. > >I personally cannot write strictly procedural code any more, and I >prefer a mix of functionized and OO code. Still, real world applications >- popular real world applications, often totally avoid this approach. >So, what gives? > >- Jay >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > From joshmccormack at travelersdiary.com Fri Sep 16 10:52:01 2005 From: joshmccormack at travelersdiary.com (joshmccormack at travelersdiary.com) Date: Fri, 16 Sep 2005 16:52:01 +0200 Subject: [nycphp-talk] =?iso-8859-1?q?Code_cleanliness_vs=2E_code_popularit?= =?iso-8859-1?q?y?= Message-ID: <0MKp2t-1EGHbG27Gh-0007hK@mrelay.perfora.net> I haven't heard too many kind things said of phpBB code - it frequents the security warning lists, doesn't it? I don't understand why someone wouldn't use functions. I don't profess to be an expert, knowing tons of patterns and in the ins-and-outs of OO programming. But I used functions anywhere I can - Javascript, PHP, Java, etc. It just seems so natural. Here's my funny story that tells you about people not using frameworks. Before PHP had really risen to what it is, and Perl reigned mighty, I knew a guy who worked at Cold Spring laboratories, down the hall from the author of CGI.pm, arguably the Perl framework for web stuff. And he refused to use modules, he wanted to write everything himself. I have my own method of evaluating packages, frameworks, etc. which I do before using any, but I always try to use other's hard work, rather than reinvent the wheel. Josh Jayesh Sheth wrote on 09/16/2005, 04:21:04 PM: > Hello all, > > I was recently reading through the phpBB source code, and had some > observations to shares. In most of the pages / script files I looked > through, there were 1000 - 2000 lines of PHP code, with no functions or > comments. While the code itself is strictly procedural, it is also to > the point, and not indecipherable. > > Still, some interesting questions came to me: how can one of the most > popular PHP applications be written in eighties-style procedural code? > Or, to rephrase it: are object-oriented design, (fancy) frameworks not > useful in practice? How many of you have worked with commercial, open > source or in-house frameworks? Have you found these frameworks to be > useful in the long run, or do they just get in the way? > > I have long been a fan of PEAR (and other external / third-party) > libraries. I much prefer to save myself work, when I do not have to > reinvent the wheel. Still, in many companies, people prefer to write > everything from scratch, often wrapped up in laborious frameworks. In > your collective experience, what's the best policy for code development? > In other words: bang it out, test it, ship it, receive feedback, fix it, > and then back to the beginning again, or: huge design upfront, OO or > functionized code,UML diagrams, and the 'f' word: a framework. > > I personally cannot write strictly procedural code any more, and I > prefer a mix of functionized and OO code. Still, real world applications > - popular real world applications, often totally avoid this approach. > So, what gives? > > - Jay > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org From shiflett at php.net Fri Sep 16 11:30:17 2005 From: shiflett at php.net (Chris Shiflett) Date: Fri, 16 Sep 2005 11:30:17 -0400 Subject: [nycphp-talk] Zend Certification In-Reply-To: <5458518f0509151831af53b9b@mail.gmail.com> References: <5458518f0509151831af53b9b@mail.gmail.com> Message-ID: <432AE509.2060502@php.net> Anthony Papillion wrote: > I'm wanting to find something that can immediately > differentiate myself and my skill set from those people > without the client or employer having to setup an > interview and review sample code, etc. I think a Zend > cert might help do that. I think the certification has a lot of value, but keep in mind that it is intended to set a baseline for professional PHP developers. It is often advertised as identifying PHP experts, but I don't think such a label is entirely accurate. > My question is this: how seriously is the certification > taken by employers and clients? I found Zend's recent webcast pretty informative: http://www.zend.com/webcasts/archive.php Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From codebowl at gmail.com Fri Sep 16 12:38:29 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Fri, 16 Sep 2005 12:38:29 -0400 Subject: [nycphp-talk] PHP / Word 2003 COM In-Reply-To: <8d9a428005091605591e654e81@mail.gmail.com> References: <8d9a428005091605591e654e81@mail.gmail.com> Message-ID: <8d9a428005091609386e9f3789@mail.gmail.com> ok so i have figured it out well almost. I am having one issue that i cannot seem to figure out how to fix. When i run my script it goes through the process of creating the mail merge. If i refresh to attempt to do it again my script hangs trying to create the COM object. I have to manually restart my computer before i can run the merge again. Obviously this is not acceptable. Have any of you guys had this issue before when using COM objects? Below is my code for my MailMerge class completed with help from http://www.zend.com/tips/tips.php?id=262&single=1 CODE ========================================== mm_data_dir = BASE_PATH.'/'.$data_dir; $this->list = $list; $this->initilize(); $this->CreateHeaderFile(); $this->CreateDataSource(); $this->CreateFile(); return($this->mm_data_dir.'/merge.doc'); } private function initilize() { $this->rowcnt = count($this->list); $fieldcnt = 0; foreach($this->list as $key => $item) { if($fieldcnt == 0) $fieldcnt = count($item); $this->columns[] = $key; } $this->fieldcnt = $fieldcnt; } private function Close() { $this->obj->Documents->Close(); } private function Quit() { $this->obj->Quit(); } private function Release() { $this->obj = NULL; } private function CreateHeaderFile() { $this->obj = new COM("word.application") or die('Couldnt load Word!'); if(!is_object($this->obj)) throw new Exception('Unable to instanciate Word!'); $this->obj->Documents->Add(); $this->obj->ActiveDocument->Tables->Add($this->obj->Selection->Range,1,$this->fieldcnt); foreach($this->list as $item) { foreach($item as $key => $value) { $this->obj->Selection->TypeText($key); $this->obj->Selection->MoveRight(); } } $this->obj->ActiveDocument->SaveAs($this->mm_data_dir.'/header.doc'); $this->Close(); $this->Quit(); $this->Release(); } private function CreateDataSource() { $this->obj = new COM("word.application"); if(!is_object($this->obj)) throw new Exception('Unable to instanciate Word!'); $this->obj->Documents->Add(); $this->obj->ActiveDocument->Tables->Add($this->obj->Selection->Range,$this->rowcnt,$this->fieldcnt); foreach($this->list as $key => $item) { foreach($item as $key => $value) { $this->obj->Selection->TypeText($value); $this->obj->Selection->MoveRight(); } } $this->obj->ActiveDocument->SaveAs($this->mm_data_dir.'/ds.doc'); $this->Close(); $this->Quit(); $this->Release(); } private function CreateFile() { $this->obj = new COM("word.application"); if(!is_object($this->obj)) throw new Exception('Unable to instanciate Word!'); echo $this->mm_data_dir.'/has_sites.dot'; $this->obj->Documents->Open($this->mm_data_dir.'/has_sites.dot'); $this->obj->ActiveDocument->MailMerge->OpenHeaderSource($this->mm_data_dir.'/header.doc'); $this->obj->ActiveDocument->MailMerge->OpenDataSource($this->mm_data_dir.'/ds.doc'); $this->obj->ActiveDocument->MailMerge->Execute(); $this->obj->ActiveDocument->SaveAs($this->mm_data_dir.'/merge.doc'); $this->Close(); $this->Quit(); $this->Release(); unlink($this->mm_data_dir.'/header.doc'); unlink($this->mm_data_dir.'/ds.doc'); } } ?> ========================================== Any help would be appreciated. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From 1j0lkq002 at sneakemail.com Fri Sep 16 13:13:58 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Fri, 16 Sep 2005 10:13:58 -0700 Subject: [nycphp-talk] Code cleanliness vs. code popularity In-Reply-To: <1126880464.15372.243077064@webmail.messagingengine.com> References: <1126880464.15372.243077064@webmail.messagingengine.com> Message-ID: <13544-39748@sneakemail.com> Jayesh Sheth jay_nyphp-at-fastmail.fm |nyphp dev/internal group use| wrote: >Hello all, > >I was recently reading through the phpBB source code, and had some >observations to shares. In most of the pages / script files I looked >through, there were 1000 - 2000 lines of PHP code, with no functions or >comments. While the code itself is strictly procedural, it is also to >the point, and not indecipherable. > >Still, some interesting questions came to me: how can one of the most >popular PHP applications be written in eighties-style procedural code? >Or, to rephrase it: are object-oriented design, (fancy) frameworks not >useful in practice? How many of you have worked with commercial, open >source or in-house frameworks? Have you found these frameworks to be >useful in the long run, or do they just get in the way? > >I have long been a fan of PEAR (and other external / third-party) >libraries. I much prefer to save myself work, when I do not have to >reinvent the wheel. Still, in many companies, people prefer to write >everything from scratch, often wrapped up in laborious frameworks. In >your collective experience, what's the best policy for code development? >In other words: bang it out, test it, ship it, receive feedback, fix it, >and then back to the beginning again, or: huge design upfront, OO or >functionized code,UML diagrams, and the 'f' word: a framework. > >I personally cannot write strictly procedural code any more, and I >prefer a mix of functionized and OO code. Still, real world applications >- popular real world applications, often totally avoid this approach. >So, what gives? > >- Jay >_________________ > Hi jay. As someone who works with alot of other people's code, I used to always want to re-write stuff rather than learn-and-then-hack with it. It seemd like the best aproach in the long term, for everyon einvlved (client, maintainers, mission). I was wrong. There is alot of cognitive overhead to classes and frameworks. If you have to step into an app, you need to get to a point where you can visualize the framework before you can be sure of the consequences of changes, right? That's a big headache for a highly-utilized yet infrequently-modified system. With procedural code, a new coder can step through it rather easily and be pretty sure of the consequences of change... the places where scope is ill-defined or dependencies exists pop out at you. I know I am way out on the fringe when it comes to professional PHP coding, but I can understand when an older app with a large community sticks with an existing procedural code base. It makes alot of sense to me, given the circumstances. Of course, every situation will put its own weights on those factors. -=john andrews http://www.seo-fun.com From codebowl at gmail.com Fri Sep 16 13:29:06 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Fri, 16 Sep 2005 13:29:06 -0400 Subject: [nycphp-talk] PHP / Word 2003 COM In-Reply-To: <8d9a428005091609386e9f3789@mail.gmail.com> References: <8d9a428005091605591e654e81@mail.gmail.com> <8d9a428005091609386e9f3789@mail.gmail.com> Message-ID: <8d9a428005091610298aaa589@mail.gmail.com> Through extensive testing i have found this to work everytime that i run it in debug mode through zend studio, however when i run it via the URL it crashes Apache and this is the contents of the Error Log [Fri Sep 16 13:14:18 2005] [notice] Parent: child process exited with status 3221225477 -- Restarting. [Fri Sep 16 13:14:19 2005] [notice] Apache/2.0.54 (Win32) PHP/5.0.4 configured -- resuming normal operations [Fri Sep 16 13:14:19 2005] [notice] Server built: Apr 16 2005 14:25:31 [Fri Sep 16 13:14:19 2005] [notice] Parent: Created child process 5396 [Fri Sep 16 13:14:20 2005] [notice] Child 5396: Child process is running [Fri Sep 16 13:14:20 2005] [notice] Child 5396: Acquired the start mutex. [Fri Sep 16 13:14:20 2005] [notice] Child 5396: Starting 250 worker threads. Anyone that can help i would very much appreciate it. -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From codebowl at gmail.com Fri Sep 16 13:30:09 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Fri, 16 Sep 2005 13:30:09 -0400 Subject: [nycphp-talk] PHP / Word 2003 COM In-Reply-To: <8d9a428005091610298aaa589@mail.gmail.com> References: <8d9a428005091605591e654e81@mail.gmail.com> <8d9a428005091609386e9f3789@mail.gmail.com> <8d9a428005091610298aaa589@mail.gmail.com> Message-ID: <8d9a4280050916103035ccd546@mail.gmail.com> i should note that i am using basically the same url when testing and debugging test url http://codebowl.dontexist.net/csaf/mm.php debug URL http://codebowl.homelinux.net:443/csaf/mm.php?start_debug=1&debug_port=10000&debug_host=192.168.1.103,192.168.0.1,127.0.0.1&send_sess_end=1&debug_no_cache=1126890649718&debug_stop=1&debug_url=1&debug_new_session=1 -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From codebowl at gmail.com Fri Sep 16 14:55:46 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Fri, 16 Sep 2005 14:55:46 -0400 Subject: [nycphp-talk] Code Optimization Help Message-ID: <8d9a428005091611552eb8f15e@mail.gmail.com> Hello Everyone, I have some code that is using COM to interact with MS Word to create a mail merge based on my mysql database, however it is running dreadfully slow 13.53846 seconds to be exact. This is only running on 34 records, i could imagine running this on a few hundred records not to mention thousand. Is COM usually this slow? These load times i believe to be accurate as they come from zend studio's profiler. You can see screenshots of the profile @ http://codebowl.dontexist.net/bugs/MailMerge/ Below you will see my code, anything you guys see that i could do to speed this up quite a bit i would appreciate it. It seems the naughty methods are CreateHeader, CreateDataSource, CreateDocument. CODE ===================================================== mm_data_dir = 'F:/htdocs/csaf/'.$data_dir; $this->list = $list; $this->letter_template = $letter; $this->envelope_template = $envelope; $this->initilize(); $this->CreateHeaderFile(); $this->CreateDataSource(); $this->CreateDocument($this->letter_template); $this->CreateDocument($this->envelope_template); } public function __destruct() { unlink($this->mm_data_dir.'/ds.doc'); unlink($this->mm_data_dir.'/header.doc'); } private function initilize() { $this->rowcnt = count($this->list); $this->fieldcnt = count($this->list[0]); } private function Close() { $this->obj->Documents->Close(); } private function Quit() { $this->obj->Quit(); } private function Release() { $this->obj = NULL; } private function CreateHeaderFile() { $this->obj = new COM("word.application") or die('Couldnt load Word!'); if(!is_object($this->obj)) throw new Exception('Unable to instanciate Word!'); $this->obj->Documents->Add(); $this->obj->ActiveDocument->Tables->Add($this->obj->Selection->Range,1,$this->fieldcnt); for($i = 0; $i <= $this->rowcnt; $i++) { foreach($this->list[$i] as $key => $value) { $this->obj->Selection->TypeText($key); $this->obj->Selection->MoveRight(); } } $this->obj->ActiveDocument->SaveAs($this->mm_data_dir.'/header.doc'); $this->Close(); $this->Quit(); $this->Release(); } private function CreateDataSource() { $this->obj = new COM("word.application"); if(!is_object($this->obj)) throw new Exception('Unable to instanciate Word!'); $this->obj->Documents->Add(); $this->obj->ActiveDocument->Tables->Add($this->obj->Selection->Range,$this->rowcnt,$this->fieldcnt); for($i = 0; $i <= $this->rowcnt; $i++) { foreach($this->list[$i] as $key => $value) { $this->obj->Selection->TypeText($value); $this->obj->Selection->MoveRight(); } } $this->obj->ActiveDocument->SaveAs($this->mm_data_dir.'/ds.doc'); $this->Close(); $this->Quit(); $this->Release(); } private function CreateDocument($template) { $this->obj = new COM("word.application"); if(!is_object($this->obj)) throw new Exception('Unable to instanciate Word!'); $this->obj->Documents->Open($this->mm_data_dir.'/'.$template.'.dot'); $this->obj->ActiveDocument->MailMerge->OpenHeaderSource($this->mm_data_dir.'/header.doc'); $this->obj->ActiveDocument->MailMerge->OpenDataSource($this->mm_data_dir.'/ds.doc'); $this->obj->ActiveDocument->MailMerge->Execute(); $this->obj->ActiveDocument->SaveAs($this->mm_data_dir.'/'.$template.'.doc'); $this->Close(); $this->Quit(); $this->Release(); } } ?> -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From ken at secdat.com Fri Sep 16 19:11:25 2005 From: ken at secdat.com (Kenneth Downs) Date: Fri, 16 Sep 2005 19:11:25 -0400 (EDT) Subject: [nycphp-talk] Code cleanliness vs. code popularity In-Reply-To: <1126880464.15372.243077064@webmail.messagingengine.com> References: <1126880464.15372.243077064@webmail.messagingengine.com> Message-ID: <38085.38.117.147.25.1126912285.squirrel@38.117.147.25> > Hello all, > > I was recently reading through the phpBB source code, and had some > observations to shares. In most of the pages / script files I looked > through, there were 1000 - 2000 lines of PHP code, with no functions or > comments. While the code itself is strictly procedural, it is also to > the point, and not indecipherable. > > Still, some interesting questions came to me: how can one of the most > popular PHP applications be written in eighties-style procedural code? > Or, to rephrase it: are object-oriented design, (fancy) frameworks not > useful in practice? How many of you have worked with commercial, open > source or in-house frameworks? Have you found these frameworks to be > useful in the long run, or do they just get in the way? I don't know the developers, but if I had to guess I would say it was a very small group that has total control of coding practice. Most of the "crucial advances" in programming languages of the past 20 years are meant to make it easier for large groups to work together. When one or a few people work very intensely on a project, the only thing that really seems to matter is that they stay focused and undistracted, in which case they always know what is going on and can code it in sanskrit if they want. > > I have long been a fan of PEAR (and other external / third-party) > libraries. I much prefer to save myself work, when I do not have to > reinvent the wheel. Still, in many companies, people prefer to write > everything from scratch, often wrapped up in laborious frameworks. In > your collective experience, what's the best policy for code development? > In other words: bang it out, test it, ship it, receive feedback, fix it, > and then back to the beginning again, or: huge design upfront, OO or > functionized code,UML diagrams, and the 'f' word: a framework. Since opinions you desire, opnions you shall have! :) First is the min/max principle. Use the smallest number of technologies to the largest benefit. This thinking drives me away from Java and to PHP. One simple example is that I can do anything with a PHP Associative Array, while Java wants me to use all kinds of different objects for different purposes. That violates min/max. The reason big shops avoid 3rd party stuff is they want to keep control and avoid having their quality rest upon somebody else's work. This is very important when the 3rd parties are commercial and tend to go out of business on you. I've written 1 LAN framework, one C/S framework, and one 3-tier framework. The reason people like to do them is because they are fun, a lot more fun than coding up the invoice form. Therein also lies their threat. They become complicated and random, and then everyone is working for the framework instead of the framework working for you. My biggest beef with frameworks is that they are usually all about managing labor instead of eliminating it. Why lay out 20 tasks for me to do for every table in a database? If they are so well known, shouldn't the framework do them automatically for me? My latest 3-tier framework is as close to zero-code as I've gotten, and it's where I want to stay. The two largest groups of unreasonable zealots you will ever meet are the high priests of the the Two Towers, Object Orientation and Database Theory. The only way to work out how to handle what they say is to make sure you understand it. The database people see all the world as tables, and the OO people see everything as an object. Since everything in the end does end up in a database, I tend to think the database people are more correct, but they are doing nothing with this advantage. > > I personally cannot write strictly procedural code any more, and I > prefer a mix of functionized and OO code. Still, real world applications > - popular real world applications, often totally avoid this approach. > So, what gives? Well consider that there is nothing inherent in a web call that requires OO. Strictly speaking it is a procedural operation, which might be written out as: 1) Trying to logout? Reset their session 2) No session? Give 'em a cookie 3) Not authenticated? Send 'em to the login page 4) What do they want? Any database writes to do? Do 'em 5) What will we show them? Any database reads? Do 'em 6) Format the HTML, send it out. There is nothing in that that requires OO. There are repeating designs that suggest it, such as an object for every table, but somehow I've managed to get along just fine without that. Instead I have a datafile for every table that describes the table and a common library that reads the data file to figure out what to do. Bottom line: experiment with what feels most comfortable to you naturally, and here and there experiment with things that do not feel so comfortable. Sometimes you will be glad you did because you'll learn something new, and sometimes you'll confirm your hunch that you didn't want to go that way. > > - Jay > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Kenneth Downs Secure Data Software 631-379-0010 ken at secdat.com PO Box 708 East Setauket, NY 11733 From greg.rundlett at gmail.com Fri Sep 16 20:21:49 2005 From: greg.rundlett at gmail.com (Greg Rundlett) Date: Fri, 16 Sep 2005 20:21:49 -0400 Subject: [nycphp-talk] Code Optimization Help In-Reply-To: <8d9a428005091611552eb8f15e@mail.gmail.com> References: <8d9a428005091611552eb8f15e@mail.gmail.com> Message-ID: <5e2aaca405091617213a92b124@mail.gmail.com> On 9/16/05, Joseph Crawford wrote: > > Hello Everyone, > > I have some code that is using COM to interact with MS Word to create a > mail merge based on my sorry i don't have time to review your code, but just wanted to point out that http://pastebin.com is the best tool I know of for soliciting feedback on code.... you paste your code, and then post the link in your mailinglist, forum whatever. -------------- next part -------------- An HTML attachment was scrubbed... URL: From codebowl at gmail.com Fri Sep 16 21:09:14 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Fri, 16 Sep 2005 21:09:14 -0400 Subject: [nycphp-talk] Code Optimization Help In-Reply-To: <5e2aaca405091617213a92b124@mail.gmail.com> References: <8d9a428005091611552eb8f15e@mail.gmail.com> <5e2aaca405091617213a92b124@mail.gmail.com> Message-ID: <8d9a4280050916180931cf7678@mail.gmail.com> Greg, I realize this however the code is only stored there for what 3 hours i think... then it's gone so i figured i would post to the list On 9/16/05, Greg Rundlett wrote: > > > > On 9/16/05, Joseph Crawford wrote: > > > > Hello Everyone, > > > > I have some code that is using COM to interact with MS Word to create a > > mail merge based on my > > > > sorry i don't have time to review your code, but just wanted to point out > that http://pastebin.com is the best tool I know of for soliciting > feedback on code.... you paste your code, and then post the link in your > mailinglist, forum whatever. > > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > > -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From phil at bearingasset.com Sat Sep 17 09:08:28 2005 From: phil at bearingasset.com (Phil Duffy) Date: Sat, 17 Sep 2005 09:08:28 -0400 Subject: [nycphp-talk] Code cleanliness vs. code popularity In-Reply-To: <13544-39748@sneakemail.com> Message-ID: <20050917130842.BF7E2A86D1@virtu.nyphp.org> > -----Original Message----- > From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] > On Behalf Of inforequest > Sent: Friday, September 16, 2005 12:14 PM > To: talk at lists.nyphp.org > Subject: Re: [nycphp-talk] Code cleanliness vs. code popularity John Andrews wrote: > There is alot of cognitive overhead to classes and frameworks. If you > have to step into an app, you need to get to a point where you can > visualize the framework before you can be sure of the consequences of > changes, right? That's a big headache for a highly-utilized yet > infrequently-modified system. > > With procedural code, a new coder can step through it rather easily and > be pretty sure of the consequences of change... the places where scope > is ill-defined or dependencies exists pop out at you. Hi John, I think you have hit the nail on the head. I am going through the process of learning PHP, XHTML and CSS while developing a major application that uses PEAR libraries and an MVC framework. I have lots of procedural programming experience and lots of object-oriented design experience, but little object-oriented programming experience (a strange combination). The learning curve is steep because things are not always done the direct and obvious way, but in a manner reflecting "best practices". I believe we are dealing with a tradeoff versus an absolute on this question. For a "highly utilized, yet infrequently modified system" procedural code may be the right strategy. However, I can't recall too many situations in my career when I was exposed to that kind of project. Clients seem to want to extend successful systems and you reach the tipping point where procedural code maintenance becomes increasingly problematic. It is difficult at that point to reverse field. It is too soon to determine if my current project will be a success, but currently I am pursuing a modification of your rule - if there is any doubt about extending the system, accept the grief of the steeper object-oriented learning curve and framework and simply accept this as a cost of doing business. I hope this perspective helps. Clearly we are dealing with a subject that lacks absolutes. Phil From lists at zaunere.com Sat Sep 17 09:25:56 2005 From: lists at zaunere.com (Hans Zaunere) Date: Sat, 17 Sep 2005 09:25:56 -0400 Subject: [nycphp-talk] FW: [nycbug-talk] Live from NYCBSDCon Message-ID: <0MKp2t-1EGchX3XVU-0004h7@mrelay.perfora.net> Hi folks - fun from Columbia at NYCBSDCon '05 - tune in below... --- Hans Zaunere / President / New York PHP www.nyphp.org / www.nyphp.com Hans Zaunere wrote on Saturday, September 17, 2005 9:25 AM: > Good morning, > > We're live at NYCBSDCon '05 from Columbia University. > > Thanks to all those who could attend, and for those who couldn't make > it, watch our live stream from the conference: > > http://neuropunks.org/nycbsdcon/ > > Hans Zaunere > > > _______________________________________________ > % NYC*BUG talk mailing list > http://lists.nycbug.org/mailman/listinfo/talk > %Be sure to check out our Jobs and NYCBUG-announce lists > %We meet the first Wednesday of the month From danielc at analysisandsolutions.com Sat Sep 17 18:38:14 2005 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Sat, 17 Sep 2005 18:38:14 -0400 Subject: [nycphp-talk] Input Filtering In-Reply-To: <4b188711050725100013671882@mail.gmail.com> References: <4b188711050725100013671882@mail.gmail.com> Message-ID: <20050917223814.GA7988@panix.com> Hey Jeff: On Mon, Jul 25, 2005 at 01:00:28PM -0400, Jeff Loiselle wrote: > Can anyone recommend any good packages for input filtering? Check out my Form Solution. Not the end all and be all, but it's pretty handy. http://www.analysisandsolutions.com/software/form/ --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From jay_nyphp at fastmail.fm Sat Sep 17 20:42:46 2005 From: jay_nyphp at fastmail.fm (Jayesh Sheth) Date: Sat, 17 Sep 2005 20:42:46 -0400 Subject: [nycphp-talk] Code cleanliness vs. code popularity Message-ID: <1127004166.9837.243155620@webmail.messagingengine.com> Hello all, thanks for your great, well-thought-out responses! I agree with John Andrews (I keep wanting to call him Andrew!) that there is a lot of advance learning required before getting into a (heavy) framework. I also agree with Kenneth Downs that people often write frameworks because they are fun to write (and always because they are needed). When you are coding within the confines of a framework, you are expected to do common things (database calls / business object usage, configuration reads, template output) through the framework, and not outside of it. There are some frameworks which have proven themselves to be immensely useful, and perhaps indisensable to some. One of these, I have heard, is Struts for Java. Another one for PHP that looks beautifully perfect is Seagull (it uses PEAR libraries too). I like Seagull's approach of building on existing PEAR libraries. This is good for two reasons. The first is that there is no reinventing the wheel [example: for form generation and validation (PEAR HTML_QuickForm is used), and for DB access (PEAR DB is used)]. The second is that PEAR is emerging as the de-facto standard for object oriented PHP code; by building on PEAR, Seagull is using proven libraries to make a great framework. I have not used Seagull, but I have looked at its code and online docs. And there have been a bunch of (positive) articles about in the PHP Journal / Magazine space recently. Having thought about it a bit, I think that when phpBB was initially released, it was coded by a small group of people, and filled an unmet need. It grew greatly in popularity over time, but its codebase never changed. It has some funky things in it that would prevent easy changes; for example, in some scripts, there is a large switch / case block that constructs SQL for either MySQL or Postgres or other DBs. It would have been better to use different DB 'drivers' or classes for each DB type, and pass an instance of those in at runtime (Strategy pattern: identify the things that change, break them into their own classes, and using composition pass them into another object at run time). Then again, these very thoughts (cool design patterns) fill the heads of people who write frameworks. And what can happen is that the framework comes before the software that has to be written. What I mean is that writing a cool framework becomes a goal in itself, rather than supporting the end-goal of creating a piece of software that serves a particular purpose well. I think it is really hard to write good software, and it is even harder to write a good / useful framework. Writing a framework often involves mind-reading, because a good framework will anticipate the needs of applications that need to be built on top of it, and support it either inherently or through easy extension. There are many applications out there that serve a single purpose, and do what they do very well (from a functionality point of view). They may not be coded well, but from the user's perspective, they have cool features, and work well. Examples in the PHP world are phpBB, Tasks Lite / Pro and Gallery. These applications may have chunks of HTML stuffed into random strings, they may not use many functions, but they provide a host of features that work, they are updated often, and many millions of people use them. I think it is unfortunate that many products that are built on top of obsessed-over, carefully written frameworks fail to meet the business needs they originally set out to fulfill. Thought: If at the end of the day a product does not serve its end users well, then should it be considered a failure? Just my 2 words cents :-) - Jay From 1j0lkq002 at sneakemail.com Sat Sep 17 21:07:53 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Sat, 17 Sep 2005 18:07:53 -0700 Subject: [nycphp-talk] Code cleanliness vs. code popularity In-Reply-To: <1127004166.9837.243155620@webmail.messagingengine.com> References: <1127004166.9837.243155620@webmail.messagingengine.com> Message-ID: <24523-33632@sneakemail.com> Jayesh Sheth jay_nyphp-at-fastmail.fm |nyphp dev/internal group use| wrote: >Hello all, > >thanks for your great, well-thought-out responses! > Jay, I think forums/bb's are a special case. They are a classic "script" situation, with a long history of being "scripted" as opposed to "developed". I recall an early version of a popular BB system (not sure how it is today) that was "object oriented PHP". Basically *everything* was in the constructor, so you instantiated an object and it ran all the routines contained within the constructor. Add a member? Create an "add a member" object and the constructor would run the functions for adding a member. Make a new post? Instantiate a new_post object, and likewaise al lof the necessary routines would be run (in the constructor). It was a clean code set and easy to follow, but hardly an OO application. -=john andrews http://www.seo-fun.com when dreamhost isn't down From greg.rundlett at gmail.com Sat Sep 17 22:17:40 2005 From: greg.rundlett at gmail.com (Greg Rundlett) Date: Sat, 17 Sep 2005 22:17:40 -0400 Subject: [nycphp-talk] Code cleanliness vs. code popularity In-Reply-To: <24523-33632@sneakemail.com> References: <1127004166.9837.243155620@webmail.messagingengine.com> <24523-33632@sneakemail.com> Message-ID: <5e2aaca40509171917249783e@mail.gmail.com> In my experience, fudforum is a better forum software than phpBB, and the main author is a PEAR member who has many code contributions to open source beyond fudforum. And, he (Ilya Alshanetsky) is also security conscious so that is a primary requirement of fudforum. I haven't used it in a while, so I just downloaded it again and checked the source to see if it's Object Oriented. I can't be sure because the download only includes an installer, which apparently bootstraps the download of the software. That seems fine, however one major concern that I have is that there is binary content in the installer. I posed a question on the site to find out what it is, and how they could license it under the GPL if the installer itself is part binary. Until that is clarified, I guess I would suggest NOT using it. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dcech at phpwerx.net Sat Sep 17 23:45:02 2005 From: dcech at phpwerx.net (Dan Cech) Date: Sat, 17 Sep 2005 23:45:02 -0400 Subject: [nycphp-talk] Code cleanliness vs. code popularity In-Reply-To: <5e2aaca40509171917249783e@mail.gmail.com> References: <1127004166.9837.243155620@webmail.messagingengine.com> <24523-33632@sneakemail.com> <5e2aaca40509171917249783e@mail.gmail.com> Message-ID: <432CE2BE.4050704@phpwerx.net> Greg Rundlett wrote: > In my experience, fudforum is a better forum software > than phpBB, and the main author is a PEAR member who has many code > contributions to open source beyond fudforum. And, he (Ilya Alshanetsky) is > also security conscious so that is a primary requirement of fudforum. It certainly looks like an interesting alternative to the usual phpBB or vBulletin. I've also heard good things about SimpleMachines Forum. > I haven't used it in a while, so I just downloaded it again and checked the > source to see if it's Object Oriented. I can't be sure because the download > only includes an installer, which apparently bootstraps the download of the > software. That seems fine, however one major concern that I have is that > there is binary content in the installer. I posed a question on the site to > find out what it is, and how they could license it under the GPL if the > installer itself is part binary. I was intrigued by your comment so I took a look. It appears that they have essentially created a self-extracting archive with php. The first part of the file contains php code which extracts the gzipped contents of the second portion of the file. The reason for the binary data is twofold. Firstly the gzipped data is binary and secondly they added some extra binary data (apparently an extract from linux kernel 2.4.18 to 'trick' windows into thinking it's a binary file and avoid line ending conversion. To my mind it would have been much easier and more transparent to separate the gzipped source into its own file rather than lumping it in together, but as far as I know once decompressed you have full source so it should be fine GPL-wise. A second approach would have been to base64 encode the gzipped data, which would have made it resilient against mangling by ftp clients etc. > Until that is clarified, I guess I would suggest NOT using it. I guess that should take care of the issues, I for one would love to hear any reports if people do use it for anything. Dan From arzala at gmail.com Sun Sep 18 08:27:15 2005 From: arzala at gmail.com (Anirudh Zala) Date: Sun, 18 Sep 2005 17:57:15 +0530 Subject: [nycphp-talk] [Re: Code cleanliness vs. code popularity] Message-ID: <432D5D23.1000705@gmail.com> In general I would call OO as Luxury added to normal way of programming. So it is meant to be only for those groups of programmers who can afford it (in general, who really can understand it and can use it effectively). Since there is not any standard convention in programming that what technology or framework is to be used, programmer can choose either any 1 of both or both of them. This entirely depends upon the person who is going to code and the level of his/her experience. Normally OO framework is used in Product based softwares where 80%-90% requirements are defined, so developers can start building whatever kind of framework according to requirements. And in future changes can be released in terms of patches or service packs. So the real beauty of OO programming shines only when you have most of requirements defined in your mind. But in other case where Service based softwares are developed, where at a time you would have only half of the total requirements defined. So if you start coding your software entirely using OO techniques, you might have problems in future when some requirements differ in significant way as you can not change frameworks or code easily which is OO based. So here you must choose mix environments where you design some code using OO techniques and some code using procedural techniques like normal functions. Most of web based softwares are service based only, because requirements often get changed time by time depending upon users' requests or by companies policies. Though procedural code adds repetitive works sometimes, it keeps your software easy to understand by new programmers, because web based softwares are developed to keep running for long time and obviously, team of same programmer can not be there always, as they might have been moved to other projects or simply their life line is over. You can see that C++ and Java are mainly OO programming languages, but could you see their Effective versions that can be used for developing web based softwares? So personally, I would use both approaches in effective way while developing web based softwares. Thanks Anirudh Zala Jayesh Sheth wrote: > Hello all, > > I was recently reading through the phpBB source code, and had some > observations to shares. In most of the pages / script files I looked > through, there were 1000 - 2000 lines of PHP code, with no functions or > comments. While the code itself is strictly procedural, it is also to > the point, and not indecipherable. > > Still, some interesting questions came to me: how can one of the most > popular PHP applications be written in eighties-style procedural code? > Or, to rephrase it: are object-oriented design, (fancy) frameworks not > useful in practice? How many of you have worked with commercial, open > source or in-house frameworks? Have you found these frameworks to be > useful in the long run, or do they just get in the way? > > I have long been a fan of PEAR (and other external / third-party) > libraries. I much prefer to save myself work, when I do not have to > reinvent the wheel. Still, in many companies, people prefer to write > everything from scratch, often wrapped up in laborious frameworks. In > your collective experience, what's the best policy for code development? > In other words: bang it out, test it, ship it, receive feedback, fix it, > and then back to the beginning again, or: huge design upfront, OO or > functionized code,UML diagrams, and the 'f' word: a framework. > > I personally cannot write strictly procedural code any more, and I > prefer a mix of functionized and OO code. Still, real world applications > - popular real world applications, often totally avoid this approach. > So, what gives? > > - Jay > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > ---------------------------------------------------------------- Anirudh Zala (Production Manager), ASPL, 814-815, Star Plaza, Ph: +91 281 245 1894 Phhulchhab Square, anirudh at aspl.in Rajkot 360001, Gujarat http://www.aspl.in INDIA ---------------------------------------------------------------- -- ---------------------------------------------------------------- Anirudh Zala (Production Manager), ASPL, 814-815, Star Plaza, Ph: +91 281 245 1894 Phhulchhab Square, anirudh at aspl.in Rajkot 360001, Gujarat http://www.aspl.in INDIA ---------------------------------------------------------------- From matt at jobsforge.com Sun Sep 18 10:28:22 2005 From: matt at jobsforge.com (Matthew Terenzio) Date: Sun, 18 Sep 2005 10:28:22 -0400 Subject: [nycphp-talk] [Re: Code cleanliness vs. code popularity] In-Reply-To: <432D5D23.1000705@gmail.com> References: <432D5D23.1000705@gmail.com> Message-ID: On Sep 18, 2005, at 8:27 AM, Anirudh Zala wrote: > So if > you start coding your software entirely using OO techniques, you might > have problems in future when some requirements differ in significant > way > as you can not change frameworks or code easily which is OO based. Funny, because I tend to think the opposite. If you know exactly what you want and it won't change, write a bunch of scripts. If things might change down the line, encapsulate it. Then you can modify things without breaking it. That said, it's certainly possible to make large, flexible applications using procedural programming techniques, but thinking about the issues which OO was made to solve. From jeff.siegel at nyphp.org Sun Sep 18 13:28:23 2005 From: jeff.siegel at nyphp.org (Jeff Siegel) Date: Sun, 18 Sep 2005 13:28:23 -0400 Subject: [nycphp-talk] NEW PHundamentals: HTTP Response Splitting Message-ID: <0IN0009PRWJCXT00@mta6.srv.hcvlny.cv.net> A new PHundamentals article - "HTTP Response Splitting" - has been posted. This article addresses the issue of the botnet that attempts to inject email headers in a PHP form. As always, comments and suggestions are welcome. Please be sure the subject line of your comment/suggestion refers to this article by name. See: http://www.nyphp.org/phundamentals/http_response_splitting.php Jeff Siegel NYPHP PHundamentals -------------- next part -------------- An HTML attachment was scrubbed... URL: From danielc at analysisandsolutions.com Sun Sep 18 13:44:16 2005 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Sun, 18 Sep 2005 13:44:16 -0400 Subject: [nycphp-talk] NEW PHundamentals: HTTP Response Splitting In-Reply-To: <0IN0009PRWJCXT00@mta6.srv.hcvlny.cv.net> References: <0IN0009PRWJCXT00@mta6.srv.hcvlny.cv.net> Message-ID: <20050918174416.GA22271@panix.com> Hi Jeff (and everyone): On Sun, Sep 18, 2005 at 01:28:23PM -0400, Jeff Siegel wrote: > A new PHundamentals article - "HTTP Response Splitting" - has been posted. ... > http://www.nyphp.org/phundamentals/http_response_splitting.php The posting seems to have ignored much of the discussion regarding this topic we had on the list. In addition, the article is misnamed. The attack at hand isn't response splitting, which has to do with injecting items into header() calls. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From jsiegel1 at optonline.net Sun Sep 18 14:02:30 2005 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Sun, 18 Sep 2005 14:02:30 -0400 Subject: [nycphp-talk] NEW PHundamentals: HTTP Response Splitting In-Reply-To: <20050918174416.GA22271@panix.com> Message-ID: <0IN000GGNY46VR00@mta8.srv.hcvlny.cv.net> Re: Title - Point well taken. If there are some specifics of the discussion that you feel should be included, do not hesitate to point out those particular items. Remember (and this is really addressed to all), the Phundamentals are not meant to recapitulate an entire discussion but to distill the essential points. So if there are any essential points that are missing, please let it be known so changes can be made. Jeff -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Daniel Convissor Sent: Sunday, September 18, 2005 12:44 PM To: NYPHP Talk Subject: Re: [nycphp-talk] NEW PHundamentals: HTTP Response Splitting Hi Jeff (and everyone): On Sun, Sep 18, 2005 at 01:28:23PM -0400, Jeff Siegel wrote: > A new PHundamentals article - "HTTP Response Splitting" - has been posted. ... > http://www.nyphp.org/phundamentals/http_response_splitting.php The posting seems to have ignored much of the discussion regarding this topic we had on the list. In addition, the article is misnamed. The attack at hand isn't response splitting, which has to do with injecting items into header() calls. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From jeff.siegel at nyphp.org Sun Sep 18 14:02:30 2005 From: jeff.siegel at nyphp.org (Jeff Siegel) Date: Sun, 18 Sep 2005 14:02:30 -0400 Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection Message-ID: <0IN000J45Y47A310@mta7.srv.hcvlny.cv.net> The title of the most recent PHundamentals article has been changed to "Email Header Injection." See: http://www.nyphp.org/phundamentals/email_header_injection.php Jeff -------------- next part -------------- An HTML attachment was scrubbed... URL: From danielc at analysisandsolutions.com Sun Sep 18 14:13:59 2005 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Sun, 18 Sep 2005 14:13:59 -0400 Subject: [nycphp-talk] NEW PHundamentals: HTTP Response Splitting In-Reply-To: <0IN000GGNY46VR00@mta8.srv.hcvlny.cv.net> References: <20050918174416.GA22271@panix.com> <0IN000GGNY46VR00@mta8.srv.hcvlny.cv.net> Message-ID: <20050918181359.GB10855@panix.com> Hey Jeff: On Sun, Sep 18, 2005 at 02:02:30PM -0400, Jeff Siegel wrote: > > Remember (and this is really addressed to all), the Phundamentals are not > meant to recapitulate an entire discussion but to distill the essential > points. That makes total sense. Thing is, the article posted looks like the text initially proposed in the thread, which includes several problems which I and other people raised. The issues are too numerous to raise here again. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From shiflett at php.net Sun Sep 18 15:30:04 2005 From: shiflett at php.net (Chris Shiflett) Date: Sun, 18 Sep 2005 15:30:04 -0400 Subject: [nycphp-talk] NEW PHundamentals: HTTP Response Splitting In-Reply-To: <20050918174416.GA22271@panix.com> References: <0IN0009PRWJCXT00@mta6.srv.hcvlny.cv.net> <20050918174416.GA22271@panix.com> Message-ID: <432DC03C.1080705@php.net> Daniel Convissor wrote: > In addition, the article is misnamed. The attack at hand > isn't response splitting, which has to do with injecting > items into header() calls. Yeah, I thought I had missed a cool thread or something at first. :-) For what it's worth, I think HTTP Response Splitting might make an interesting phundamental. I guess there's not tons to say, but maybe some people on this list have some creative ideas about what can be done. I usually just demonstrate setting a cookie or something (and show how this can be used for session fixation - e.g., set PHPSESSID). Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From shiflett at php.net Sun Sep 18 15:34:50 2005 From: shiflett at php.net (Chris Shiflett) Date: Sun, 18 Sep 2005 15:34:50 -0400 Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection In-Reply-To: <0IN000J45Y47A310@mta7.srv.hcvlny.cv.net> References: <0IN000J45Y47A310@mta7.srv.hcvlny.cv.net> Message-ID: <432DC15A.8080409@php.net> Jeff Siegel wrote: > See: http://www.nyphp.org/phundamentals/email_header_injection.php I recommend that we change: "All PHP scripts which send email based on input data are vulnerable." to: "All PHP scripts which send email based on tainted data are vulnerable." or: "All PHP scripts which send email based on input data might be vulnerable." It might be better to reword it some other way, but it's false as written. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From shiflett at php.net Sun Sep 18 15:45:14 2005 From: shiflett at php.net (Chris Shiflett) Date: Sun, 18 Sep 2005 15:45:14 -0400 Subject: [nycphp-talk] [Re: Code cleanliness vs. code popularity] In-Reply-To: References: <432D5D23.1000705@gmail.com> Message-ID: <432DC3CA.8070006@php.net> Matthew Terenzio wrote: > If you know exactly what you want and it won't change, write a > bunch of scripts. > > If things might change down the line, encapsulate it. Then you > can modify things without breaking it. > > That said, it's certainly possible to make large, flexible > applications using procedural programming techniques, but > thinking about the issues which OO was made to solve. I tend to write more procedural code than OO, and I agree with this statement. Of course you can do just as much with a procedural paradigm, but it's good to sometimes step back and make sure you're not solving too many of the same problems that OO solves. I can usually tell that I've chosen the wrong approach when one of two things happens: 1. I'm writing procedural code, and I'm cobbling together some of the same features that are inherent in an OO approach. 2. I'm writing OO code, but I'm not really using any of its features. That's my personal sanity check. :-) Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From shiflett at php.net Sun Sep 18 16:42:16 2005 From: shiflett at php.net (Chris Shiflett) Date: Sun, 18 Sep 2005 16:42:16 -0400 Subject: [nycphp-talk] Code cleanliness vs. code popularity In-Reply-To: <5e2aaca40509171917249783e@mail.gmail.com> References: <1127004166.9837.243155620@webmail.messagingengine.com> <24523-33632@sneakemail.com> <5e2aaca40509171917249783e@mail.gmail.com> Message-ID: <432DD128.8030102@php.net> Greg Rundlett wrote: > In my experience, fudforum is a better forum > software than phpBB, and the main author is a PEAR member who has many > code contributions to open source beyond fudforum. He's more than a PEAR contributor. Ilia is a primary contributor to PHP itself, and he has even served as release manager (for 4.3, I think). FUDforum is faster, more reliable, and more secure than phpBB, but it has a poor interface (in my opinion). I think there is currently a big push to improve this aspect. > That seems fine, however one major concern that I have is that there > is binary content in the installer. I posed a question on the site to > find out what it is, and how they could license it under the GPL if > the installer itself is part binary. It sounds like you misunderstand the GPL. > Until that is clarified, I guess I would suggest NOT using it. In that case, you might want to stop using PHP. You can get binary distributions of it. (Binary is not a bad word.) Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From mail at billyreisinger.com Sun Sep 18 19:56:41 2005 From: mail at billyreisinger.com (Billy Reisinger) Date: Sun, 18 Sep 2005 19:56:41 -0400 Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection In-Reply-To: <0IN000J45Y47A310@mta7.srv.hcvlny.cv.net> References: <0IN000J45Y47A310@mta7.srv.hcvlny.cv.net> Message-ID: My 2 cents about the content of the post are: "Grep through your mail server logs for the list of emails, using a command something like this: grep -f exploitaddresses.lst /var/log/maillog (or wherever your mail log is located) If any are found, cross reference the time of the mailing to times in your web server logs to help determine the exploitable script. Modify any such scripts to properly filter input fields, with a function something like this:" I think you should encourage everyone to fix their script, not just those who find the email addresses you listed in their logs. As someone succinctly pointed out in the thread about this injection attack, the email addresses being used for this attack are most likely subject to change. People should be safeguarding their scripts as a precautionary measure, not as a band-aid after the fact. Cheers! Billy Reisinger On Sep 18, 2005, at 2:02 PM, Jeff Siegel wrote: > The title of the most recent PHundamentals article has been changed > to "Email Header Injection." > > See: http://www.nyphp.org/phundamentals/email_header_injection.php > > Jeff > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From jay_nyphp at fastmail.fm Sun Sep 18 21:57:47 2005 From: jay_nyphp at fastmail.fm (Jayesh Sheth) Date: Sun, 18 Sep 2005 21:57:47 -0400 Subject: [nycphp-talk] Code cleanliness vs. code popularity Message-ID: <1127095067.7691.243200368@webmail.messagingengine.com> Hi everyone, Here is a brief follow-up on PHP forums. I followed my curiousity today, and checked out the code of a handful of open source PHP bulletin board systems. The ones I checked out were: Bee Hive Forum, MiniBB, W-Agora, smf, l-forum, and Phorum. I had used MiniBB in the past, and it works well from a user's point of view, and its templates were easy to customize. I had never really looked into its code, which is not commented at all, and frankly almost obfuscated. (Sorry that came out so harsh!) It's a neat piece of software to use, but heaven help me if I were asked to customize it at the code (as opposed to template) level. I briefly looked through the other packages, and none of them, except Phorum, seemed to have been coded well. I checked out Phorum on a lark, having remembered it from years ago, when Mozillazine used its version 2 software. (Mozillazine has since moved to phpBB.) Phorum is now up to version 5. A lot / most of its code seems to be functionized, or uses functions. I like that! I tried out a demo at opensourcecms.com, and it seems okay. Best of all, http://forums.mysql.com/ seems to use it. There are some glaring user interface boo-boos: for example, in order to register as a new user, you have to click on 'log in'. This error could be easily fixed. They even have a developer blog, and their site has a tidy and easy-to-navigate feel to it. Check it out: http://www.phorum.org . I have been wanting to check out Fudforum too. I wish someone would make a zip or tar.gz file of its uncompressed sources so I could check it out. Best regards, - Jay - Jay From jsiegel1 at optonline.net Mon Sep 19 06:47:40 2005 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Mon, 19 Sep 2005 06:47:40 -0400 Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection In-Reply-To: Message-ID: <0IN200CYV8NHMOE0@mta10.srv.hcvlny.cv.net> Point well taken and I believe it was Dan C. who noted the need to not rely on that list of "known" email addresses. Jeff _____ From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Billy Reisinger Sent: Sunday, September 18, 2005 6:57 PM To: NYPHP Talk Subject: Re: [nycphp-talk] Phundamentals Title Change: Email Header Injection My 2 cents about the content of the post are: "Grep through your mail server logs for the list of emails, using a command something like this: grep -f exploitaddresses.lst /var/log/maillog (or wherever your mail log is located) If any are found, cross reference the time of the mailing to times in your web server logs to help determine the exploitable script. Modify any such scripts to properly filter input fields, with a function something like this:" I think you should encourage everyone to fix their script, not just those who find the email addresses you listed in their logs. As someone succinctly pointed out in the thread about this injection attack, the email addresses being used for this attack are most likely subject to change. People should be safeguarding their scripts as a precautionary measure, not as a band-aid after the fact. Cheers! Billy Reisinger On Sep 18, 2005, at 2:02 PM, Jeff Siegel wrote: The title of the most recent PHundamentals article has been changed to "Email Header Injection." See: http://www.nyphp.org/phundamentals/email_header_injection.php Jeff _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From dcech at phpwerx.net Mon Sep 19 08:24:27 2005 From: dcech at phpwerx.net (Dan Cech) Date: Mon, 19 Sep 2005 08:24:27 -0400 Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection In-Reply-To: <0IN200CYV8NHMOE0@mta10.srv.hcvlny.cv.net> References: <0IN200CYV8NHMOE0@mta10.srv.hcvlny.cv.net> Message-ID: <432EADFB.8040907@phpwerx.net> Jeff & list, I believe I managed to avoid weighing into the various debates raging back and forth in the thread. The idea of checking for particular email addresses in the mail logs does seem pretty naive, especially as they are such a throwaway item these days. Personally I'm of the opinion that these kinds of forms should require inputs that are supposed to be email addresses to look like email addresses. Not only will that remove the possibility of this exploit, it will also cut down (ever so slightly) on malformed addresses being sent through to the mail subsystem. Good user feedback for 'invalid' addresses should allow anyone using the form to 'correct' them, so I see little point in blindly accepting something that isn't obviously an email address. The other common vulnerable field seems to be the Subject, though I see very little reason not to restrict that (or any other non-address) field to something like /^([-a-z0-9!@#$%^&*()_\[\]{}\\|;:'",.<>\/?+= ]+)$/i, especially considering the fact that non-ascii characters are usually frowned upon in email headers. Also, correct me if I'm wrong but I believe the %0A encoding is purely used in the request string, once it gets into PHP it will just see either \n or \r, the literal string %0A does not pose any risk to emails as a string itself. Dan Jeff Siegel wrote: > Point well taken and I believe it was Dan C. who noted the need to not rely > on that list of "known" email addresses. > > Jeff From greg.rundlett at gmail.com Mon Sep 19 11:14:00 2005 From: greg.rundlett at gmail.com (Greg Rundlett) Date: Mon, 19 Sep 2005 11:14:00 -0400 Subject: [nycphp-talk] Code cleanliness vs. code popularity In-Reply-To: <432DD128.8030102@php.net> References: <1127004166.9837.243155620@webmail.messagingengine.com> <24523-33632@sneakemail.com> <5e2aaca40509171917249783e@mail.gmail.com> <432DD128.8030102@php.net> Message-ID: <5e2aaca405091908149a71a71@mail.gmail.com> On 9/18/05, Chris Shiflett wrote: > > Greg Rundlett wrote: > > In my experience, fudforum is a better forum > > software than phpBB, and the main author is a PEAR member who has many > > code contributions to open source beyond fudforum. > > He's more than a PEAR contributor. Ilia is a primary contributor to PHP > itself, and he has even served as release manager (for 4.3, I think). FUDforum is faster, more reliable, and more secure than phpBB, but it > has a poor interface (in my opinion). I think there is currently a big > push to improve this aspect. > > > That seems fine, however one major concern that I have is that there > > is binary content in the installer. I posed a question on the site to > > find out what it is, and how they could license it under the GPL if > > the installer itself is part binary. > > It sounds like you misunderstand the GPL. Huh? One of the primary objectives of the GPL is to allow for distribution of human-readable source code, not binary. I have no misunderstanding in that regard. > Until that is clarified, I guess I would suggest NOT using it. > > In that case, you might want to stop using PHP. You can get binary > distributions of it. b/c I do not know how to read binary code, I do not wish to put a personal recommendation on something which is binary. My comments have nothing to do with what formats PHP itself is available in. On top of that, PHP is not exactly relevant to a discussion of what the GPL means since it's not even licensed under the GPL. PHP developers switched from a GPL license to the PHP license way back around version 3. I was trying to be helpful with a recommendation of a good forum software, and somehow you twisted the thread completely off-topic. Ilya responded to my question about the binary contents here: http://fudforum.org/forum/index.php?t=msg&goto=27661&#msg_27661 There are about 9.3M of sources, which I don't have time to review, but they are all available. And, I repeat: In my experience, FUDForum is better software than phpBB. I was intending to give credit to Ilya originally because I've been impressed with his work since the days of the template flame-wars on the PEAR-DEV list. (Binary is not a bad word.) Well, at least this comment is accurate and non-inflamatory. Just last week I was telling people that they should come hear your presentation at the next BostonPHP meeting. I hope your presentation accurate and non-inflamatory too. Chris > > -- > Chris Shiflett > Brain Bulb, The PHP Consultancy > http://brainbulb.com/ > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwclifton at gmail.com Mon Sep 19 14:16:21 2005 From: dwclifton at gmail.com (Douglas Clifton) Date: Mon, 19 Sep 2005 14:16:21 -0400 Subject: [nycphp-talk] Code cleanliness vs. code popularity In-Reply-To: References: Message-ID: <7d6cdcb050919111628773565@mail.gmail.com> If you're interested in PHP-based forum packages, I'd recommend taking a look at Vanilla: http://www.getvanilla.com/ I use it on my own site, and compared to the others I've reviewed...well, just have a look yourself. ~d -- Douglas Clifton dwclifton at gmail.com http://loadaveragezero.com/ http://loadaveragezero.com/app/s9y/ http://loadaveragezero.com/drx/rss/recent > ---------- Forwarded message ---------- > From: "Jayesh Sheth" > To: "NYPHP Talk" > Date: Sun, 18 Sep 2005 21:57:47 -0400 > Subject: [nycphp-talk] Code cleanliness vs. code popularity > Hi everyone, > > Here is a brief follow-up on PHP forums. > > I followed my curiousity today, and checked out the code of a handful of > open source PHP bulletin board systems. > The ones I checked out were: Bee Hive Forum, MiniBB, W-Agora, smf, > l-forum, and Phorum. > > I had used MiniBB in the past, and it works well from a user's point of > view, and its templates were easy to customize. I had never really > looked into its code, which is not commented at all, and frankly almost > obfuscated. (Sorry that came out so harsh!) It's a neat piece of > software to use, but heaven help me if I were asked to customize it at > the code (as opposed to template) level. > > I briefly looked through the other packages, and none of them, except > Phorum, seemed to have been coded well. I checked out Phorum on a lark, > having remembered it from years ago, when Mozillazine used its version 2 > software. (Mozillazine has since moved to phpBB.) Phorum is now up to > version 5. A lot / most of its code seems to be functionized, or uses > functions. I like that! I tried out a demo at opensourcecms.com, and it > seems okay. Best of all, http://forums.mysql.com/ seems to use it. There > are some glaring user interface boo-boos: for example, in order to > register as a new user, you have to click on 'log in'. This error could > be easily fixed. They even have a developer blog, and their site has a > tidy and easy-to-navigate feel to it. Check it out: > http://www.phorum.org . > > I have been wanting to check out Fudforum too. I wish someone would make > a zip or tar.gz file of its uncompressed sources so I could check it > out. From chsnyder at gmail.com Mon Sep 19 15:09:42 2005 From: chsnyder at gmail.com (csnyder) Date: Mon, 19 Sep 2005 15:09:42 -0400 Subject: [nycphp-talk] Code cleanliness vs. code popularity In-Reply-To: <7d6cdcb050919111628773565@mail.gmail.com> References: <7d6cdcb050919111628773565@mail.gmail.com> Message-ID: On 9/19/05, Douglas Clifton wrote: > If you're interested in PHP-based forum packages, > I'd recommend taking a look at Vanilla: > > http://www.getvanilla.com/ > > I use it on my own site, and compared to the others > I've reviewed...well, just have a look yourself. ~d > That's -really- nice. And reams of developer docs, too. It's still a little geek-centric, but the developers have obviously made a conscious effort to create forum software for a wider audience. -- Chris Snyder http://chxo.com/ From shiflett at php.net Mon Sep 19 16:50:00 2005 From: shiflett at php.net (Chris Shiflett) Date: Mon, 19 Sep 2005 16:50:00 -0400 Subject: [nycphp-talk] Code cleanliness vs. code popularity In-Reply-To: <5e2aaca405091908149a71a71@mail.gmail.com> References: <1127004166.9837.243155620@webmail.messagingengine.com> <24523-33632@sneakemail.com> <5e2aaca40509171917249783e@mail.gmail.com> <432DD128.8030102@php.net> <5e2aaca405091908149a71a71@mail.gmail.com> Message-ID: <432F2478.1050103@php.net> Greg Rundlett wrote: > Huh? One of the primary objectives of the GPL is to allow for > distribution of human-readable source code, not binary. I have > no misunderstanding in that regard. The GPL attempts to guarantee code's freedom (as opposed to BSD licenses which place more emphasis on users' freedom). There is nothing that requires software licensed under the GPL to only be distributed as source code. Compiled binaries have always been fine as long as the source is made available somehow (and that's only a requirement if you distribute it - you can keep your modifications private if you don't). In fact, most people use binaries to install Linux. > b/c I do not know how to read binary code, I do not wish to put > a personal recommendation on something which is binary. That's understandable, but I don't see why you felt the need to specifically recommend against using it. In this case, it's like recommending that people not use Apache because apache_1.3.33.tar.gz is binary. > Just last week I was telling people that they should come hear > your presentation at the next BostonPHP meeting. I hope your > presentation accurate and non-inflamatory too. Well, it's live (not email), so I think it's harder to misinterpret my intentions. However, if you feel that correcting your misunderstanding about the GPL is inflammatory, then you might find something offensive in the talk. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From odragola at gmail.com Mon Sep 19 17:09:09 2005 From: odragola at gmail.com (Odra Gola) Date: Mon, 19 Sep 2005 17:09:09 -0400 Subject: [nycphp-talk] highest key of an array Message-ID: is there a quick way to return the numerically highest key of an array? (not the element) I wrote my own function to do it, but I'm affraid I'm reinventing the wheel Thanks, Olaf -------------- next part -------------- An HTML attachment was scrubbed... URL: From adam at trachtenberg.com Mon Sep 19 17:19:48 2005 From: adam at trachtenberg.com (Adam Maccabee Trachtenberg) Date: Mon, 19 Sep 2005 17:19:48 -0400 (EDT) Subject: [nycphp-talk] highest key of an array In-Reply-To: References: Message-ID: On Mon, 19 Sep 2005, Odra Gola wrote: > is there a quick way to return the numerically highest key of an array? (not > the element) > I wrote my own function to do it, but I'm affraid I'm reinventing the wheel Assuming you add keys in a sensible order: end($array); $highest = key($array); Otherwise, you should sort the array first. -adam -- adam at trachtenberg.com | http://www.trachtenberg.com author of o'reilly's "upgrading to php 5" and "php cookbook" avoid the holiday rush, buy your copies today! From kenrbnsn at rbnsn.com Mon Sep 19 17:21:37 2005 From: kenrbnsn at rbnsn.com (Ken Robinson) Date: Mon, 19 Sep 2005 17:21:37 -0400 Subject: [nycphp-talk] highest key of an array In-Reply-To: References: Message-ID: <6.2.5.4.2.20050919171923.0aaec7e0@rbnsn.com> At 05:09 PM 9/19/2005, Odra Gola wrote: >is there a quick way to return the numerically highest key of an >array? (not the element) >I wrote my own function to do it, but I'm affraid I'm reinventing the wheel Use: $a = array(); max(array_keys($a)) Example: Min key=' . min(array_keys($a)) . ' value=' . $a[min(array_keys($a))]; echo '
Max value=' . max($a); echo '
Min value=' . min($a); ?> Ken -------------- next part -------------- An HTML attachment was scrubbed... URL: From papillion at gmail.com Mon Sep 19 17:23:09 2005 From: papillion at gmail.com (Anthony Papillion II) Date: Mon, 19 Sep 2005 16:23:09 -0500 Subject: [nycphp-talk] highest key of an array In-Reply-To: References: Message-ID: <432F2C3D.5070201@gmail.com> > Assuming you add keys in That triggers a question in my mind: what do you mean "sensible order"? When I assign a new array element doesn't PHP automatically assign the next highest value as it's number? Or is this something that I need to manage manually? Thanks, Anthony From kenrbnsn at rbnsn.com Mon Sep 19 17:34:12 2005 From: kenrbnsn at rbnsn.com (Ken Robinson) Date: Mon, 19 Sep 2005 17:34:12 -0400 Subject: [nycphp-talk] highest key of an array In-Reply-To: <432F2C3D.5070201@gmail.com> References: <432F2C3D.5070201@gmail.com> Message-ID: <6.2.5.4.2.20050919173006.0a974f28@rbnsn.com> At 05:23 PM 9/19/2005, Anthony Papillion II wrote: > > Assuming you add keys in > >That triggers a question in my mind: what do you mean "sensible order"? >When I assign a new array element doesn't PHP automatically assign the >next highest value as it's number? Or is this something that I need to >manage manually? If you're just adding to an array using the '$arr[]' construct, then PHP will increment the index for you. But, let's say you're getting information out of a database and each record is uniquely identified by an ID number in the database. If you use that ID number as the index when you store the record in the array, the order you store them may not be in ascending order according to that number. Ken -------------- next part -------------- An HTML attachment was scrubbed... URL: From papillion at gmail.com Mon Sep 19 17:37:11 2005 From: papillion at gmail.com (Anthony Papillion II) Date: Mon, 19 Sep 2005 16:37:11 -0500 Subject: [nycphp-talk] highest key of an array In-Reply-To: <6.2.5.4.2.20050919173006.0a974f28@rbnsn.com> References: <432F2C3D.5070201@gmail.com> <6.2.5.4.2.20050919173006.0a974f28@rbnsn.com> Message-ID: <432F2F87.3060300@gmail.com> > If you're just adding to an array using the '$arr[]' construct, then > PHP will increment the index for you. But, let's say you're getting > information out of a database and each record is uniquely identified > by an ID number in the database. If you use that ID number as the > index when you store the record in the array, the order you store them > may not be in ascending order according to that number. Makes sense. I'd not considered that. Thanks! Anthony From rahmin at insite-out.com Mon Sep 19 17:45:08 2005 From: rahmin at insite-out.com (Rahmin Pavlovic) Date: Mon, 19 Sep 2005 17:45:08 -0400 Subject: [nycphp-talk] highest key of an array Message-ID: <200509192145.j8JLj8lS015225@webmail2.megamailservers.com> An embedded and charset-unspecified text was scrubbed... Name: not available URL: From thegeek at thecolorgeek.com Mon Sep 19 18:06:05 2005 From: thegeek at thecolorgeek.com (thegeek) Date: Mon, 19 Sep 2005 18:06:05 -0400 Subject: [nycphp-talk] Multiple query from out put In-Reply-To: <432F2F87.3060300@gmail.com> References: <432F2C3D.5070201@gmail.com> <6.2.5.4.2.20050919173006.0a974f28@rbnsn.com> <432F2F87.3060300@gmail.com> Message-ID: <20050919220605.9219.qmail@mail1.fluidhosting.com> Well need some guidance here. Pretty much a beginer. Here is what I would like to do. I have a script that searches a table within the database and returns multiple enteries(zip codes) in that table. I would then like to take each one of zipcodes and search another table for store addresses. So am unsure how to format to make multiple queries from the original zipcode search. I can query the database (MySQL) with a single zip and get what I need but don't know where to start when to repeat that with a multiple query. This is a volunteer non profit project with no money and no real deadline so a good opportunity for me to learn. Paul G From kenrbnsn at rbnsn.com Mon Sep 19 18:14:33 2005 From: kenrbnsn at rbnsn.com (Ken Robinson) Date: Mon, 19 Sep 2005 18:14:33 -0400 Subject: [nycphp-talk] highest key of an array In-Reply-To: <200509192145.j8JLj8lS015225@webmail2.megamailservers.com> References: <200509192145.j8JLj8lS015225@webmail2.megamailservers.com> Message-ID: <6.2.5.4.2.20050919181306.0ac6b4f0@rbnsn.com> At 05:45 PM 9/19/2005, Rahmin Pavlovic wrote: >You can also use array() to create quasi-objects, stuff like: > >$user=array('firstname'=>'Bob', 'username'=>'bobbo23'); > >$subscription=array(); >$subscription['basic']=array(); >$subscription['basic']['price']=50; Yes, but the original question dealt with numerical indices, not associative ones. Ken From gatzby3jr at gmail.com Mon Sep 19 18:24:52 2005 From: gatzby3jr at gmail.com (Brian O'Connor) Date: Mon, 19 Sep 2005 18:24:52 -0400 Subject: [nycphp-talk] Multiple query from out put In-Reply-To: <20050919220605.9219.qmail@mail1.fluidhosting.com> References: <432F2C3D.5070201@gmail.com> <6.2.5.4.2.20050919173006.0a974f28@rbnsn.com> <432F2F87.3060300@gmail.com> <20050919220605.9219.qmail@mail1.fluidhosting.com> Message-ID: <29da5d1505091915244ca3c28d@mail.gmail.com> If you're storing the address of the stores in seperate rows, where zip code is its own row you could do something like this: $query = "SELECT stores.* FROM stores, zip_codes WHERE stores.zip = zip_codes.value AND zip_codes.value = '$zip_code';"; Obviously you need to replace the tables / structure with what you have in place. Also, you could just do "SELECT * FROM stores WHERE zip_code = '$zipcode'';"; Also, if you're wondering about the multiple queries with the return from the first query that you mentioned, you can use a while loop when assigning the value of mysql_fetch_array, which then handles all the results from the database with the code included within the while loop. Hope that helps (and sorry if I was confusing). On 9/19/05, thegeek wrote: > > Well need some guidance here. Pretty much a beginer. Here is what I would > like to do. I have a script that searches a table within the database and > returns multiple enteries(zip codes) in that table. I would then like to > take each one of zipcodes and search another table for store addresses. So > am unsure how to format to make multiple queries from the original zipcode > search. I can query the database (MySQL) with a single zip and get what I > need but don't know where to start when to repeat that with a multiple > query. This is a volunteer non profit project with no money and no real > deadline so a good opportunity for me to learn. > > Paul G > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Brian O'Connor -------------- next part -------------- An HTML attachment was scrubbed... URL: From 1j0lkq002 at sneakemail.com Mon Sep 19 18:38:20 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Mon, 19 Sep 2005 15:38:20 -0700 Subject: [nycphp-talk] Multiple query from out put In-Reply-To: <20050919220605.9219.qmail@mail1.fluidhosting.com> References: <432F2C3D.5070201@gmail.com> <6.2.5.4.2.20050919173006.0a974f28@rbnsn.com> <432F2F87.3060300@gmail.com> <20050919220605.9219.qmail@mail1.fluidhosting.com> Message-ID: <32520-69739@sneakemail.com> thegeek thegeek-at-thecolorgeek.com |nyphp dev/internal group use| wrote: >Well need some guidance here. Pretty much a beginer. Here is what I would >like to do. I have a script that searches a table within the database and >returns multiple enteries(zip codes) in that table. I would then like to >take each one of zipcodes and search another table for store addresses. So >am unsure how to format to make multiple queries from the original zipcode >search. I can query the database (MySQL) with a single zip and get what I >need but don't know where to start when to repeat that with a multiple >query. This is a volunteer non profit project with no money and no real >deadline so a good opportunity for me to learn. > >Paul G > > You might be best served if you post a code snippet for you project. Put on your hard hat first, and send it to the list and I am *quite sure* you will get some expert opinions. -=john andrews http://www.seo-fun.com From rolson at aeso.org Tue Sep 20 01:18:26 2005 From: rolson at aeso.org (Rick Olson) Date: Mon, 19 Sep 2005 22:18:26 -0700 Subject: [nycphp-talk] PHPWiki In-Reply-To: <43242A1B.4050102@magpie.com> References: <43242A1B.4050102@magpie.com> Message-ID: <432F9BA2.3000904@aeso.org> I've had really poor experiences with PHPWiki in the past. We "upgraded" to MediaWiki, and it has been fantastic :) So, I'd have to second everyone else who recommended MediaWiki. It takes me all of 97 seconds to install MediaWiki, perhaps another perk :) -Rick Steve Manes wrote: >Pardon me if this has been discussed before. I assume it has been but I >was probably outside having a smoke. What's the general opinion about >PHPWiki here? > >I'm tasked with setting up a Wiki for a large open source PHP dev >project for Childrens Health Fund. I've set up and used TikiWiki before >and it worked fine. It's just a bit of overkill for our needs and it >would sorta politically undercut my argument for PHP as the base >language for this project if I installed a perl wiki. > >I downloaded v1.3 last night and got it running okay albeit with tons of >PHP warnings, mostly about using invalid types in referenced arg >variables. I googled relentlessly on this problem only to find myself >directed to other PHPWiki sites, most of which suffered from the same >affliction. > >I know how to turn off those warnings and know (pretty much) what's >causing them. But I'd rather not mask the symptoms. Also, PHP warnings >indicate potentially problematic code. > >Is v1.3 not ready for prime time or does it require PHP5? The >installation docs are somewhat byzantine. Is there a better PHP >alternative to PHPWiki? >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > > > From mlynch1 at gmail.com Tue Sep 20 04:56:06 2005 From: mlynch1 at gmail.com (Mike Lynch) Date: Tue, 20 Sep 2005 09:56:06 +0100 Subject: [nycphp-talk] Quickform: Select All Checkboxes Message-ID: <9db292e9050920015625609d83@mail.gmail.com> Hi All I am using QF to display a variable number of checkboxes (depends on what is returned from a database query). The number of "checkable" items can be quite large. What is the best way to implement a "Select All" and "Deselect All" option for these checkboxes in Quickform ? Thanks Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: From danielc at analysisandsolutions.com Tue Sep 20 09:56:27 2005 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Tue, 20 Sep 2005 09:56:27 -0400 Subject: [nycphp-talk] Multiple query from out put In-Reply-To: <20050919220605.9219.qmail@mail1.fluidhosting.com> References: <432F2C3D.5070201@gmail.com> <6.2.5.4.2.20050919173006.0a974f28@rbnsn.com> <432F2F87.3060300@gmail.com> <20050919220605.9219.qmail@mail1.fluidhosting.com> Message-ID: <20050920135626.GA15324@panix.com> Hi Paul: On Mon, Sep 19, 2005 at 06:06:05PM -0400, thegeek wrote: > I have a script that searches a table within the database and > returns multiple enteries(zip codes) in that table. I would then like to > take each one of zipcodes and search another table for store addresses. -- create some sample talbes and data create table zips (zip char(1), cond char(1)); insert into zips values ('1', 'a'); insert into zips values ('2', 'a'); insert into zips values ('3', 'b'); create table stores (zip char(1), name char(1)); insert into stores values ('1', 'm'); insert into stores values ('2', 'n'); insert into stores values ('2', 'o'); insert into stores values ('3', 'p'); -- show how to make a nice joining query select zips.zip, name from zips join stores using (zip) where cond = 'a'; -- remove these sample tables drop table zips; drop table stores; --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From enunez at tiaa-cref.org Tue Sep 20 10:16:39 2005 From: enunez at tiaa-cref.org (Nunez, Eddy) Date: Tue, 20 Sep 2005 10:16:39 -0400 Subject: [nycphp-talk] Quickform: Select All Checkboxes Message-ID: <33DFD788D44E404CB92B90176DEC061A6DAFAA@NYCPDMSXMB06.ad.tiaa-cref.org> Only way to implement a "(de)select all" at the browser level is with Javascript. Maybe QF has something built-in ... likely not since it's called "Quick" forms. As far as I know, PHP can't help you there. -Eddy -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]On Behalf Of Mike Lynch Sent: Tuesday, September 20, 2005 4:56 AM To: talk at lists.nyphp.org Subject: [nycphp-talk] Quickform: Select All Checkboxes Hi All I am using QF to display a variable number of checkboxes (depends on what is returned from a database query). The number of "checkable" items can be quite large. What is the best way to implement a "Select All" and "Deselect All" option for these checkboxes in Quickform ? Thanks Mike ************************************************************** This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, please contact sender immediately by reply e-mail and destroy all copies. You are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. TIAA-CREF ************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: From thegeek at thecolorgeek.com Tue Sep 20 10:23:50 2005 From: thegeek at thecolorgeek.com (thegeek) Date: Tue, 20 Sep 2005 10:23:50 -0400 Subject: [nycphp-talk] Multiple query from out put In-Reply-To: <20050920135626.GA15324@panix.com> References: <432F2C3D.5070201@gmail.com> <6.2.5.4.2.20050919173006.0a974f28@rbnsn.com> <432F2F87.3060300@gmail.com> <20050919220605.9219.qmail@mail1.fluidhosting.com> <20050920135626.GA15324@panix.com> Message-ID: <20050920142350.55936.qmail@mail1.fluidhosting.com> Thanks for the help already I am still trying to wrap my monkey brain aroung the concept of arrays but have found some good defenitions through google. I am using this code I have found at phpclasses by: Micah Carrick have asked for snippets hope this is not to much function get_zips_in_range($zip, $range) { // returns an array of the zip codes within $range of $zip. Returns // an array with keys as zip codes and values as the distance from // the zipcode defined in $zip. $details = $this->get_zip_point($zip); // base zip details if (empty($details)) return; // This portion of the routine calculates the minimum and maximum lat and // long within a given range. This portion of the code was written // by Jeff Bearer (http://www.jeffbearer.com). This significanly decreases // the time it takes to execute a query. My demo took 3.2 seconds in // v1.0.0 and now executes in 0.4 seconds! Greate job Jeff! // Find Max - Min Lat / Long for Radius and zero point and query // only zips in that range. $lat_range = $range/69.172; $lon_range = abs($range/(cos($details[0]) * 69.172)); $min_lat = number_format($details[0] - $lat_range, "4", ".", ""); $max_lat = number_format($details[0] + $lat_range, "4", ".", ""); $min_lon = number_format($details[1] - $lon_range, "4", ".", ""); $max_lon = number_format($details[1] + $lon_range, "4", ".", ""); $return = array(); // declared here for scope $sql = "SELECT zip_code, lattitude, longitude FROM zip_code WHERE zip_code <> $zip AND lattitude BETWEEN '$min_lat' AND '$max_lat' AND longitude BETWEEN '$min_lon' AND '$max_lon'"; $r = mysql_query($sql); if (!$r) { // sql error $this->last_error = mysql_error(); return; } else { while ($row = mysql_fetch_array($r)) { // loop through all 40 some thousand zip codes and determine whether // or not it's within the specified range. $dist = $this->calculate_mileage($details[0],$row[1],$details[1],$row[2]); if ($this->units == 'k') $dist = $dist * 1.609344; if ($dist <= $range) { $return[str_pad($row[0], 5, "0", STR_PAD_LEFT)] = round($dist, $this->decimals); } } mysql_free_result($r); } Currently I am able to post to the script with a zip and a range and echo the results(a range of zips). Thanks for the pointers already. Enjoy the Day From ps at pswebcode.com Tue Sep 20 10:45:05 2005 From: ps at pswebcode.com (Peter Sawczynec) Date: Tue, 20 Sep 2005 10:45:05 -0400 Subject: [nycphp-talk] Multiple query from out put In-Reply-To: <20050919220605.9219.qmail@mail1.fluidhosting.com> Message-ID: <000f01c5bdf1$e7177790$6400a8c0@PeterStorm> Have you tried this type of structure: SELECT s.address AS 'Store Address' FROM stores AS s WHERE s.zip IN (SELECT z.zip FROM zipcodes AS z WHERE z.city = 'New York') In this example, first the subquery returns multiple zips for NYC. Then the primary query returns all store data from the stores table with any of the zips that came back from the zips in the NYC subquery. Additionally, this example uses column and table aliases which are important to use when searching for data across several tables. Aliases are necessary because there may be columns with the same field name in both tables and only aliases ensure you actually get the output from the fields you really wanted. Plus, when you use the fields with PHP later, the fields have clear meanings to you and you can even use the original aliased field names as human readable row header titles in your resultant HTML. Warmest regards, Peter Sawczynec Technology Director PSWebcode www.pswebcode.com ps at pswebcode.com 718.796.1951 -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of thegeek Sent: Monday, September 19, 2005 6:06 PM To: NYPHP Talk Subject: [nycphp-talk] Multiple query from out put Well need some guidance here. Pretty much a beginer. Here is what I would like to do. I have a script that searches a table within the database and returns multiple enteries(zip codes) in that table. I would then like to take each one of zipcodes and search another table for store addresses. So am unsure how to format to make multiple queries from the original zipcode search. I can query the database (MySQL) with a single zip and get what I need but don't know where to start when to repeat that with a multiple query. This is a volunteer non profit project with no money and no real deadline so a good opportunity for me to learn. Paul G _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From ray at lances.net Tue Sep 20 10:58:22 2005 From: ray at lances.net (Ray Lance) Date: Tue, 20 Sep 2005 10:58:22 -0400 Subject: [nycphp-talk] Quickform: Select All Checkboxes References: <33DFD788D44E404CB92B90176DEC061A6DAFAA@NYCPDMSXMB06.ad.tiaa-cref.org> Message-ID: <199901c5bdf3$bf5ca6b0$0600000a@rayl> It might help to notice that php runs on the webserver, whereas the select-all function would be wanted locally, on the browser client. ----- Original Message ----- From: Nunez, Eddy To: NYPHP Talk Sent: Tuesday, September 20, 2005 10:16 AM Subject: [work] Re: [nycphp-talk] Quickform: Select All Checkboxes Only way to implement a "(de)select all" at the browser level is with Javascript. Maybe QF has something built-in ... likely not since it's called "Quick" forms. As far as I know, PHP can't help you there. -Eddy -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]On Behalf Of Mike Lynch Sent: Tuesday, September 20, 2005 4:56 AM To: talk at lists.nyphp.org Subject: [nycphp-talk] Quickform: Select All Checkboxes Hi All I am using QF to display a variable number of checkboxes (depends on what is returned from a database query). The number of "checkable" items can be quite large. What is the best way to implement a "Select All" and "Deselect All" option for these checkboxes in Quickform ? Thanks Mike ************************************************************** This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, please contact sender immediately by reply e-mail and destroy all copies. You are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. TIAA-CREF ************************************************************** ------------------------------------------------------------------------------ _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From codebowl at gmail.com Tue Sep 20 11:40:06 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Tue, 20 Sep 2005 11:40:06 -0400 Subject: [nycphp-talk] [PHP] Fwd: Code Optimization Help In-Reply-To: <433017F6.4060700@iamjochem.com> References: <8d9a428005091611552eb8f15e@mail.gmail.com> <8d9a428005092004161d1c65c8@mail.gmail.com> <432FFB10.20402@iamjochem.com> <8d9a4280050920052844161039@mail.gmail.com> <43300D85.50703@iamjochem.com> <8d9a42800509200633395d27b9@mail.gmail.com> <433017F6.4060700@iamjochem.com> Message-ID: <8d9a428005092008401861677@mail.gmail.com> Ok so finally i implemented my logging class into my mail merge object, this is the results Word -> Application Opened. Word -> Document1 Document Added. Word -> header.doc Document Saved. Word -> header.doc Document Closed. Word -> Document2 Document Added. Word -> ds.doc Document Saved. Word -> ds.doc Document Closed. Word -> Has_Site.dot Document Opened. Word -> Opening Header Source. F:/htdocs/csaf/data/mailmerge/header.doc File Exists I threw in a file_exists check to make sure the script was actually seeing the file and had the correct path. It does. This is very strange because nothing happens, it's like i hit a never ending loop but php never times out either. I have my php timeout to 30 seconds yet this has run in excess of 5 minutes now. The expected results for the log would look something like this Word -> Application Opened. Word -> Document1 Document Added. Word -> header.doc Document Saved. Word -> header.doc Document Closed. Word -> Document2 Document Added. Word -> ds.doc Document Saved. Word -> ds.doc Document Closed. Word -> Has_Site.dot Document Opened. Word -> Opening Header Source. F:/htdocs/csaf/data/mailmerge/header.doc File Exists Word -> Opening Data Source. Word -> Executing Merge. Word -> Has_Site.doc Document Saved. Word -> Has_Site.doc Document Closed. Word -> Merge Successful. The code that is hanging is below private function CreateDocument($template) { $this->obj->Documents->Open($this->mm_data_dir.'/'.$template.'.dot'); Logger::log('Word -> '.$this->obj->ActiveDocument->Name().' Document Opened.'); Logger::log('Word -> Opening Header Source.'); if(file_exists($this->mm_data_dir.'/header.doc')) { Logger::log($this->mm_data_dir.'/header.doc File Exists'); } // THIS IS THE LINE THAT HANGS, THE FILE EXISTS AND IS POPULATED THE FILE CONTENTS CAN BE SEEN HERE http://codebowl.dontexist.net/bugs/MailMerge/3.jpg$this->obj->ActiveDocument->MailMerge->OpenHeaderSource($this->mm_data_dir.'/header.doc'); Logger::log('Word -> Opening Data Source.'); $this->obj->ActiveDocument->MailMerge->OpenDataSource($this->mm_data_dir.'/ds.doc'); Logger::log('Word -> Executing Merge.'); $this->obj->ActiveDocument->MailMerge->Execute(); $this->obj->ActiveDocument->SaveAs($this->mm_data_dir.'/'.$template.'.doc'); Logger::log('Word -> '.$this->obj->ActiveDocument->Name().' Saved.'); Logger::log('Word -> '.$this->obj->ActiveDocument->Name().' Document Closed.'); $this->obj->ActiveDocument->Close(); } Any help with this would be appreciated. I am not sure why it is choosing to hang today ;( I have been going through the COM object API documentation and i dont see myself doing anything i shouldnt be doing. You can see the full code here http://pastebin.com/369068 that is if it hasnt expired, if so send a reply and i will post again ;) Thanks in advance -- Joseph Crawford Jr. Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From tom at supertom.com Tue Sep 20 11:43:16 2005 From: tom at supertom.com (Tom Melendez) Date: Tue, 20 Sep 2005 11:43:16 -0400 Subject: [nycphp-talk] Quickform: Select All Checkboxes In-Reply-To: <199901c5bdf3$bf5ca6b0$0600000a@rayl> References: <33DFD788D44E404CB92B90176DEC061A6DAFAA@NYCPDMSXMB06.ad.tiaa-cref.org> <199901c5bdf3$bf5ca6b0$0600000a@rayl> Message-ID: <43302E14.9040703@supertom.com> Hi Mike, It's possible that you are asking the question of, "Does QF have something built-in for this, or is there a 'Quickform' way of doing this?". I use QF and am not familar with their way of handling this. Instead, I just output a general javascript function that takes the name of the checkbox array and whether to turn them all on or off. Since the function is general, it doesn't care if there is one, or 1000. The html for the selectall/clearall links and the extra javascript I just add to the form with the 'html' element: $form->addElement('html',$myhtmlstring); If anyone knows a better way, I'm all ears. Thanks, Tom http://www.liphp.org Ray Lance wrote: > It might help to notice that php runs on the webserver, whereas the > select-all function would be wanted locally, on the browser client. > > ----- Original Message ----- > *From:* Nunez, Eddy > *To:* NYPHP Talk > *Sent:* Tuesday, September 20, 2005 10:16 AM > *Subject:* [work] Re: [nycphp-talk] Quickform: Select All Checkboxes > > Only way to implement a "(de)select all" at the browser level is > with Javascript. > Maybe QF has something built-in ... likely not since it's called > "Quick" forms. > As far as I know, PHP can't help you there. > > -Eddy > > -----Original Message----- > *From:* talk-bounces at lists.nyphp.org > > [mailto:talk-bounces at lists.nyphp.org]*On Behalf Of *Mike Lynch > *Sent:* Tuesday, September 20, 2005 4:56 AM > *To:* talk at lists.nyphp.org > *Subject:* [nycphp-talk] Quickform: Select All Checkboxes > > Hi All > > I am using QF to display a variable number of checkboxes > (depends on what is returned from a database query). > The number of "checkable" items can be quite large. > > What is the best way to implement a "Select All" and "Deselect > All" option for these checkboxes in Quickform ? > > Thanks > > Mike > > | > > ************************************************************** > This message, including any attachments, contains confidential > information intended for a specific individual and purpose, and is > protected by law. If you are not the intended recipient, please > contact sender immediately by reply e-mail and destroy all copies. > You are hereby notified that any disclosure, copying, or > distribution of this message, or the taking of any action based on > it, is strictly prohibited. > TIAA-CREF > ************************************************************** > | > > ------------------------------------------------------------------------ > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > >------------------------------------------------------------------------ > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > From dmintz at davidmintz.org Tue Sep 20 11:59:11 2005 From: dmintz at davidmintz.org (David Mintz) Date: Tue, 20 Sep 2005 11:59:11 -0400 (EDT) Subject: [nycphp-talk] Quickform: Select All Checkboxes In-Reply-To: <43302E14.9040703@supertom.com> References: <33DFD788D44E404CB92B90176DEC061A6DAFAA@NYCPDMSXMB06.ad.tiaa-cref.org> <199901c5bdf3$bf5ca6b0$0600000a@rayl> <43302E14.9040703@supertom.com> Message-ID: On Tue, 20 Sep 2005, Tom Melendez wrote: > Hi Mike, > > It's possible that you are asking the question of, "Does QF have > something built-in for this, or is there a 'Quickform' way of doing > this?". I use QF and am not familar with their way of handling this. > Instead, I just output a general javascript function that takes the name > of the checkbox array and whether to turn them all on or off. Since the > function is general, it doesn't care if there is one, or 1000. The html > for the selectall/clearall links and the extra javascript I just add to > the form with the 'html' element: > > $form->addElement('html',$myhtmlstring); > > If anyone knows a better way, I'm all ears. This might not be of interest because it sounds like you are using the default renderer rather than a template engine. If you're using just the default renderer and plan to stick with it, the above technique seems ok. But if you switch to a template engine, the 'html' psuedo-element probably will not be supported by your renderer, but you will of course have the ability to put your own javascript directly in the template itself. --- David Mintz http://davidmintz.org/ From mlynch1 at gmail.com Tue Sep 20 12:18:56 2005 From: mlynch1 at gmail.com (Mike Lynch) Date: Tue, 20 Sep 2005 17:18:56 +0100 Subject: [nycphp-talk] Quickform: Select All Checkboxes In-Reply-To: References: <33DFD788D44E404CB92B90176DEC061A6DAFAA@NYCPDMSXMB06.ad.tiaa-cref.org> <199901c5bdf3$bf5ca6b0$0600000a@rayl> <43302E14.9040703@supertom.com> Message-ID: <9db292e905092009182984b48e@mail.gmail.com> Hi All Thanks for the replies. I'm using the default QF renderer so I guess Tom's solution best fits my needs. I was afraid was I missing something obvious in Quickform. Regards Mike On 9/20/05, David Mintz wrote: > > On Tue, 20 Sep 2005, Tom Melendez wrote: > > > Hi Mike, > > > > It's possible that you are asking the question of, "Does QF have > > something built-in for this, or is there a 'Quickform' way of doing > > this?". I use QF and am not familar with their way of handling this. > > Instead, I just output a general javascript function that takes the name > > of the checkbox array and whether to turn them all on or off. Since the > > function is general, it doesn't care if there is one, or 1000. The html > > for the selectall/clearall links and the extra javascript I just add to > > the form with the 'html' element: > > > > $form->addElement('html',$myhtmlstring); > > > > If anyone knows a better way, I'm all ears. > > This might not be of interest because it sounds like you are using the > default renderer rather than a template engine. If you're using just the > default renderer and plan to stick with it, the above technique seems ok. > But if you switch to a template engine, the 'html' psuedo-element probably > will not be supported by your renderer, but you will of course have the > ability to put your own javascript directly in the template itself. > > > --- > David Mintz > http://davidmintz.org/ > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at zaunere.com Wed Sep 21 09:28:29 2005 From: lists at zaunere.com (Hans Zaunere) Date: Wed, 21 Sep 2005 09:28:29 -0400 Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection In-Reply-To: <432DC15A.8080409@php.net> Message-ID: <0MKoyl-1EI4eH3FnI-0008Lx@mrelay.perfora.net> Chris Shiflett wrote on Sunday, September 18, 2005 3:35 PM: > Jeff Siegel wrote: > > See: http://www.nyphp.org/phundamentals/email_header_injection.php > > I recommend that we change: > > "All PHP scripts which send email based on input data are vulnerable." > > to: > > "All PHP scripts which send email based on tainted data are > vulnerable." > > or: > > "All PHP scripts which send email based on input data might be > vulnerable." > > It might be better to reword it some other way, but it's false as > written. Or better yet: All PHP scripts which use external data as any part of a constructed email header, such as when a form accepts data that will populate a To:, From: or Subject: header field, may be vulnerable. H From codebowl at gmail.com Wed Sep 21 16:11:50 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Wed, 21 Sep 2005 16:11:50 -0400 Subject: [nycphp-talk] Zend Certification In-Reply-To: <432AE509.2060502@php.net> References: <5458518f0509151831af53b9b@mail.gmail.com> <432AE509.2060502@php.net> Message-ID: <8d9a4280050921131166071eff@mail.gmail.com> I just took the exam and passed. I would in no way say that this test will prove you are an expert... afterall i dont think asking anyone X questions would ever make them an expert. I do however hope that it will lead me to getting more work. It took me a total of around 50 minutes to do the test and then check my answers i had something like 38 minutes remaining IIRC. I would like to see a more advanced PHP certification in the future, as i would be inclined to take the training for that to make sure i am on the up and up ;) -- Joseph Crawford Jr. Zend Certified Engineer Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From agfische at email.smith.edu Wed Sep 21 16:31:06 2005 From: agfische at email.smith.edu (Aaron Fischer) Date: Wed, 21 Sep 2005 16:31:06 -0400 Subject: [nycphp-talk] Zend Certification In-Reply-To: <8d9a4280050921131166071eff@mail.gmail.com> References: <5458518f0509151831af53b9b@mail.gmail.com> <432AE509.2060502@php.net> <8d9a4280050921131166071eff@mail.gmail.com> Message-ID: <4331C30A.5050007@email.smith.edu> Huh? Zend Certified Engineer? Engineer seems a bit over the top, I'm surprised that Zend would choose such a term. Thoughts? -Aaron From papillion at gmail.com Wed Sep 21 16:39:44 2005 From: papillion at gmail.com (Anthony Papillion) Date: Wed, 21 Sep 2005 15:39:44 -0500 Subject: [nycphp-talk] Zend Certification In-Reply-To: <4331C30A.5050007@email.smith.edu> References: <5458518f0509151831af53b9b@mail.gmail.com> <432AE509.2060502@php.net> <8d9a4280050921131166071eff@mail.gmail.com> <4331C30A.5050007@email.smith.edu> Message-ID: <5458518f0509211339548fe213@mail.gmail.com> On 9/21/05, Aaron Fischer wrote: > Huh? Zend Certified Engineer? > > Engineer seems a bit over the top, I'm surprised that Zend would choose > such a term. I'm not sure that engineer is as over the top as it might seem at first glance. I know that software developers calling themselves engineers has been the bane of the engineering community for years but consider this: what does an engineer essentially do? Create, build, and structure things. What do programmers (be they traditional software or web apps) do? Create, build, and structure things. So while the classic definition of engineer might not totally fit, they are essentially doing the same things. They are just using different tools. -- Anthony Papillion Advanced Data Concepts Phone: (918) 926-0139 ICQ: 96-698-595 CAN ONE VOICE CHANGE THE WORLD? http://www.one.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From shiflett at php.net Wed Sep 21 17:47:24 2005 From: shiflett at php.net (Chris Shiflett) Date: Wed, 21 Sep 2005 17:47:24 -0400 Subject: [nycphp-talk] Zend Certification In-Reply-To: <5458518f0509211339548fe213@mail.gmail.com> References: <5458518f0509151831af53b9b@mail.gmail.com> <432AE509.2060502@php.net> <8d9a4280050921131166071eff@mail.gmail.com> <4331C30A.5050007@email.smith.edu> <5458518f0509211339548fe213@mail.gmail.com> Message-ID: <4331D4EC.10406@php.net> Anthony Papillion wrote: > I'm not sure that engineer is as over the top as it might seem at > first glance. I know that software developers calling themselves > engineers has been the bane of the engineering community for years Really? That's weird. "A person who uses scientific knowledge to solve practical problems" sounds pretty generic to me. I have had my share of electrical engineering classes, but I never considered software engineering to be infringing upon my elite status as circuit boy. :-) In fact, when I was in EE, I would have considered the bane of the EE community to be those calling themselves electrical engineers who sucked. Maybe we can call ourselves software manufacturers and be the bane of the manufacturing industry. :-) My grandfather was an engineer - he operated a locomotive. I think he has more right to the term than any of us. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From krook at us.ibm.com Wed Sep 21 17:56:28 2005 From: krook at us.ibm.com (Daniel Krook) Date: Wed, 21 Sep 2005 17:56:28 -0400 Subject: [nycphp-talk] Zend Certification In-Reply-To: <4331D4EC.10406@php.net> Message-ID: > > I'm not sure that engineer is as over the top as it might seem at > > first glance. I know that software developers calling themselves > > engineers has been the bane of the engineering communityfor years > ... > > My grandfather was an engineer - he operated a locomotive. > I think he > has more right to the term than any of us. The next logical step in this debate is whether Information Architects or Software Architects truly are. Of course, those two roles have more right to the word "architecture" than building architects who claim that they've "built" a structure have a right to that word, annoying those of us who did at one time wield a hammer, nails and Sawzalls for a living. : ) Daniel Krook, Advisory IT Specialist Application Development, Production Services - Tools, ibm.com Personal: http://info.krook.org/ BluePages: http://bluepages.redirect.webahead.ibm.com/ BlogPages: http://blogpages.redirect.webahead.ibm.com/ From jeff.knight at gmail.com Wed Sep 21 18:02:59 2005 From: jeff.knight at gmail.com (Jeff Knight) Date: Wed, 21 Sep 2005 18:02:59 -0400 Subject: [nycphp-talk] Zend Certification In-Reply-To: References: <4331D4EC.10406@php.net> Message-ID: <2ca9ba9105092115029d53308@mail.gmail.com> I used to be a ninja, but now I'm a Cowboy! -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at jobsforge.com Wed Sep 21 20:56:28 2005 From: matt at jobsforge.com (Matthew Terenzio) Date: Wed, 21 Sep 2005 20:56:28 -0400 Subject: [nycphp-talk] Zend Certification In-Reply-To: <4331C30A.5050007@email.smith.edu> References: <5458518f0509151831af53b9b@mail.gmail.com> <432AE509.2060502@php.net> <8d9a4280050921131166071eff@mail.gmail.com> <4331C30A.5050007@email.smith.edu> Message-ID: <317f8e9a2339385d2072e05c56c3ce88@jobsforge.com> On Sep 21, 2005, at 4:31 PM, Aaron Fischer wrote: > Engineer seems a bit over the top, I'm surprised that Zend would choose > such a term. Not sure why it bothers you. I have a Masters degree in Internet Engineering. What does that mean? I haven't seen the certification test but I'm guessing it's in line with Microsoft Certified Engineer or whatever they call it. From greg.rundlett at gmail.com Wed Sep 21 22:52:56 2005 From: greg.rundlett at gmail.com (Greg Rundlett) Date: Wed, 21 Sep 2005 22:52:56 -0400 Subject: [nycphp-talk] Design Patterns Webinar Message-ID: <5e2aaca40509211952634d7f08@mail.gmail.com> php|symphony Live Talk Series::*FREE Live Web Seminar: Design Patterns in PHP with Jason E. Sweat (October 20, 2005)* Join us for an exciting new webcast in our php|symphony series! This time, Jason E. Sweat, author of php|architect's Guide to PHP Design Patterns , will tackle the topic of Design Patterns and how they can be applied to the world of PHP programming. This web seminar will be broadcast live on October 20, 2005 at 1PM Eastern Time (click hereto see how that translates into your time zone). You will be able to interact directly with Jason and hear his voice as he gives his presentation. The webcast will run for approximately one hour, including a Q&A session. Participation in the webcast is free, but space is limited. All you need is a computer with a web browser capable of running Macromedia Flash, speakers or a headset and an Internet connection (28.8kbps or higher). See http://www.phparch.com/shop_product.php?itemid=102 to sign up -------------- next part -------------- An HTML attachment was scrubbed... URL: From 1j0lkq002 at sneakemail.com Thu Sep 22 01:06:48 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Wed, 21 Sep 2005 22:06:48 -0700 Subject: [nycphp-talk] Zend Certification In-Reply-To: References: Message-ID: <20600-02258@sneakemail.com> Daniel Krook krook-at-us.ibm.com |nyphp dev/internal group use| wrote: >The next logical step in this debate is whether Information Architects or >Software Architects truly are. > >Of course, those two roles have more right to the word "architecture" than >building architects who claim that they've "built" a structure have a >right to that word, annoying those of us who did at one time wield a >hammer, nails and Sawzalls for a living. : ) > > Well, the legal argument surrounds licensing. An architect is not licensed by the government (but his buildings have to be signed off by a licensed Professional Engineer before they can be built, and again before they can be occupied by the public.. and a few additional times for the heating/AC systems, plumbing, etc). You do not need permission to call yourself an architect, but you do need a license to call yourself a Professional Engineer. You similarly cannot claim to be a Lawyer, or a Doctor unless you are licensed to practice. And to get that license you need to complete a degree program from a school accredited by the Engineering accrediting group. And then take two different 8 hour tests, usually years apart. The first is a comprehensive test covering 4 years of engineering school (across several engineering disciplines, even if you only studied one of those). The second is based on practice, and is only offered to you after you have completed a certain amount of real-world engineering work and at least one licensed PE signs an affidavit that you did indeed do that work and it was quality work. That second test is practical engineering work in your discipline. Pass them both and you get to call yourself a Professional Engineer. Now Engineers are not a very litigious group by nature, so plenty of people put "engineer" and even "Engineer" on their business cards. The Professional Engineers have a legal basis for preventing others from conducting commerce as Engineers/Engineering. It is widely reported that using the "little e" version of engineer is tolerated. Now Realtor is not a real word... it was made up as a trademark. The Realtors litigate that one seriously, so no, unless you are a member of the Realtor association (not a government license.. just a trade group) you cannot call your self a Realtor. I have a Bachelor of Engineering from an accredited school, a Masters Degree in Engineerng Science and was a candidate for the Ph.D. in Electrical Engineering at an accredited school. I doubt I could ever have done numerical algorithms or digital signal processing work (all code) without a very serious math/science/engineering education, but some CIS guys are amazing and certainly equivalent to Engineers in their analytical and problem solving skills. Those are not typical programmers or developers, however, and they are usually Ph.D. level scientists who have in fact received equivalent training. I don't see them calling themselves Software Engineers though. -=john andrews http://www.seo-fun.com From shiflett at php.net Thu Sep 22 01:19:05 2005 From: shiflett at php.net (Chris Shiflett) Date: Thu, 22 Sep 2005 01:19:05 -0400 Subject: [nycphp-talk] Zend Certification In-Reply-To: <20600-02258@sneakemail.com> References: <20600-02258@sneakemail.com> Message-ID: <43323EC9.7060703@php.net> inforequest wrote: > You do not need permission to call yourself an architect, but you > do need a license to call yourself a Professional Engineer. That's why it's Professional Engineer instead of Engineer. PE is like MCSE or ZCE, although it's obviously much more respected (and difficult to achieve). > You similarly cannot claim to be a Lawyer, or a Doctor unless you > are licensed to practice. Tell that to the PhDs. :-) > Now Engineers are not a very litigious group by nature, so plenty > of people put "engineer" and even "Engineer" on their business > cards. The Professional Engineers have a legal basis for preventing > others from conducting commerce as Engineers/Engineering. It is > widely reported that using the "little e" version of engineer is > tolerated. They have no choice but to tolerate the use of the word. People have tried to trademark words before (the guy who trademarked stealth, for example), but I think most people, like me, just think that's silly. > Those are not typical programmers or developers, however, and they > are usually Ph.D. level scientists who have in fact received > equivalent training. I don't see them calling themselves Software > Engineers though. Most prefer the term computer scientist, I think. Software engineering is a subset of computer science. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From dipeshjr at yahoo.com Thu Sep 22 08:55:51 2005 From: dipeshjr at yahoo.com (DIPESH RABADIYA) Date: Thu, 22 Sep 2005 05:55:51 -0700 (PDT) Subject: [nycphp-talk] PHP / Word 2003 COM In-Reply-To: <8d9a428005091610298aaa589@mail.gmail.com> Message-ID: <20050922125552.67198.qmail@web54006.mail.yahoo.com> Respected Sir, I'm,Dipesh Rabadiya, working with php for 2 years and I want to work with you, if you don't mind. Sir I'm Searching for outsourcing work for php so, could You pls Help me..... Waiting for Your Reply Regards Dipesh --- Joseph Crawford wrote: > Through extensive testing i have found this to work > everytime that i run it > in debug mode through zend studio, however when i > run it via the URL it > crashes Apache and this is the contents of the Error > Log > > [Fri Sep 16 13:14:18 2005] [notice] Parent: child > process exited with status > 3221225477 -- Restarting. > [Fri Sep 16 13:14:19 2005] [notice] Apache/2.0.54 > (Win32) PHP/5.0.4 > configured -- resuming normal operations > [Fri Sep 16 13:14:19 2005] [notice] Server built: > Apr 16 2005 14:25:31 > [Fri Sep 16 13:14:19 2005] [notice] Parent: Created > child process 5396 > [Fri Sep 16 13:14:20 2005] [notice] Child 5396: > Child process is running > [Fri Sep 16 13:14:20 2005] [notice] Child 5396: > Acquired the start mutex. > [Fri Sep 16 13:14:20 2005] [notice] Child 5396: > Starting 250 worker threads. > > Anyone that can help i would very much appreciate > it. > > > -- > Joseph Crawford Jr. > Codebowl Solutions, Inc. > 1-802-671-2021 > codebowl at gmail.com > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From dipeshsenior at yahoo.com Thu Sep 22 09:35:45 2005 From: dipeshsenior at yahoo.com (Dipesh Rabadiya) Date: Thu, 22 Sep 2005 06:35:45 -0700 (PDT) Subject: [nycphp-talk] PHP / Word 2003 COM In-Reply-To: <4332B1FE.8010000@omnistep.com> Message-ID: <20050922133545.22874.qmail@web35905.mail.mud.yahoo.com> Most respected sir, I'm, Dipesh Senior, working with php for 2 years and 1 1/2 months. I want to work with you much more than Jr. Sir, I'm Searching for outsourcing work for php and bash scripting or QBasic so, could u pls hlp me..... Waiting eagerly For your Reply kindest Regards Dipesh Sr. > Date: Thu, 22 Sep 2005 05:55:51 -0700 (PDT) > From: DIPESH RABADIYA > To: NYPHP Talk > Subject: Re: [nycphp-talk] PHP / Word 2003 COM > > Respected Sir, > > I'm,Dipesh Rabadiya, working with php for 2 years > and I want to work with you, if you don't mind. > > Sir I'm Searching for outsourcing work for php > so, could You pls Help me..... > > Waiting for Your Reply > > Regards > > Dipesh > --- Joseph Crawford wrote: > > > Through extensive testing i have found this to > work > > everytime that i run it > > in debug mode through zend studio, however when i __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From codebowl at gmail.com Thu Sep 22 10:10:59 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Thu, 22 Sep 2005 10:10:59 -0400 Subject: [nycphp-talk] PHP / Word 2003 COM In-Reply-To: <20050922133545.22874.qmail@web35905.mail.mud.yahoo.com> References: <4332B1FE.8010000@omnistep.com> <20050922133545.22874.qmail@web35905.mail.mud.yahoo.com> Message-ID: <8d9a4280050922071063054528@mail.gmail.com> most respected sir, I am not sure why you would think i have work i can outsource but when i do have work i also try to outsource to people in the USA, I apologise but i have nothing at this time. Also when you are sending emails like this it may be better to keep them off list -- Joseph Crawford Jr. Zend Certified Engineer Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From dmintz at davidmintz.org Thu Sep 22 12:04:12 2005 From: dmintz at davidmintz.org (David Mintz) Date: Thu, 22 Sep 2005 12:04:12 -0400 (EDT) Subject: [nycphp-talk] email injection bot taking a break? Message-ID: I was logging and emailing myself every time one of my contact.php pages was being abused by our little friend who inspired the latest Phundie article. It was cranking for a couple weeks, but has lately dropped to zero visits/day. Anybody else observed a similar trend, or am i just lucky? --- David Mintz http://davidmintz.org/ From kenrbnsn at rbnsn.com Thu Sep 22 12:11:33 2005 From: kenrbnsn at rbnsn.com (Ken Robinson) Date: Thu, 22 Sep 2005 12:11:33 -0400 Subject: [nycphp-talk] email injection bot taking a break? In-Reply-To: References: Message-ID: <6.2.5.4.2.20050922120944.06afeb18@rbnsn.com> At 12:04 PM 9/22/2005, David Mintz wrote: >I was logging and emailing myself every time one of my contact.php pages >was being abused by our little friend who inspired the latest Phundie >article. It was cranking for a couple weeks, but has lately dropped to >zero visits/day. > >Anybody else observed a similar trend, or am i just lucky? The number of hits has diminished, but it hasn't quite gone down to zero. I had 1 or 2 tries yesterday. Of course the person behind this may have found some unprotected forms and gave up on the ones we have protected. Ken From rolan at omnistep.com Thu Sep 22 12:14:27 2005 From: rolan at omnistep.com (Rolan Yang) Date: Thu, 22 Sep 2005 12:14:27 -0400 Subject: [nycphp-talk] email injection bot taking a break? In-Reply-To: References: Message-ID: <4332D863.6000509@omnistep.com> Sounds like the calm before the storm. I'm thinking of purposely leaving one script open just so to see what kind of malicious stuff passes though, but feedback script would rewrite the injected cc: and bcc: addresses with a target email address of my own instead of passing it on to the victim. ~Rolan David Mintz wrote: >I was logging and emailing myself every time one of my contact.php pages >was being abused by our little friend who inspired the latest Phundie >article. It was cranking for a couple weeks, but has lately dropped to >zero visits/day. > >Anybody else observed a similar trend, or am i just lucky? > > > > From jbaltz at altzman.com Thu Sep 22 12:21:37 2005 From: jbaltz at altzman.com (Jerry B. Altzman) Date: Thu, 22 Sep 2005 12:21:37 -0400 Subject: [nycphp-talk] Zend Certification In-Reply-To: <20600-02258@sneakemail.com> References: <20600-02258@sneakemail.com> Message-ID: <4332DA11.9030305@altzman.com> On 9/22/2005 1:06 AM, inforequest wrote: > yourself a Professional Engineer. You similarly cannot claim to be a > Lawyer, or a Doctor unless you are licensed to practice. Those of us with Ph.D.s beg to differ on that last point. :-) > -=john andrews //jbaltz -- jerry b. altzman jbaltz at altzman.com KE3ML thank you for contributing to the heat death of the universe. From sol2ray at gmail.com Thu Sep 22 13:17:39 2005 From: sol2ray at gmail.com (Sol Toure) Date: Thu, 22 Sep 2005 13:17:39 -0400 Subject: [nycphp-talk] email injection bot taking a break? In-Reply-To: <4332D863.6000509@omnistep.com> References: <4332D863.6000509@omnistep.com> Message-ID: <4a67dc39050922101758ada2e8@mail.gmail.com> It seems to me that the person doing this belongs to this list. I have seen the first attempt on one of my contact form this week. Or maybe after this thread started someone from the list tried it and that happened to be my site? On 9/22/05, Rolan Yang wrote: > > Sounds like the calm before the storm. I'm thinking of purposely leaving > one script open just so to see what kind of malicious stuff passes > though, but feedback script would rewrite the injected cc: and bcc: > addresses with a target email address of my own instead of passing it on > to the victim. > > ~Rolan > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeff.knight at gmail.com Thu Sep 22 13:40:34 2005 From: jeff.knight at gmail.com (Jeff Knight) Date: Thu, 22 Sep 2005 13:40:34 -0400 Subject: [nycphp-talk] email injection bot taking a break? In-Reply-To: <4a67dc39050922101758ada2e8@mail.gmail.com> References: <4332D863.6000509@omnistep.com> <4a67dc39050922101758ada2e8@mail.gmail.com> Message-ID: <2ca9ba910509221040107edfb7@mail.gmail.com> Congratulations, that has to be the most asinine and offensive post to this list in its entire history. A number of people take time out of their busy schedules to first alert you to, and then discuss and publish a method to protect you from a current vulnerability, and the best you can do is accuse one of them of causing it? On 9/22/05, Sol Toure wrote: > > It seems to me that the person doing this belongs to this list. I have > seen the first attempt on one of my contact form this week. Or maybe after > this thread started someone from the list tried it and that happened to be > my site? > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From 1j0lkq002 at sneakemail.com Thu Sep 22 14:28:10 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Thu, 22 Sep 2005 11:28:10 -0700 Subject: [nycphp-talk] email injection bot taking a break? In-Reply-To: <4332D863.6000509@omnistep.com> References: <4332D863.6000509@omnistep.com> Message-ID: <13270-95064@sneakemail.com> Rolan Yang rolan-at-omnistep.com |nyphp dev/internal group use| wrote: >Sounds like the calm before the storm. I'm thinking of purposely leaving >one script open just so to see what kind of malicious stuff passes >though, but feedback script would rewrite the injected cc: and bcc: >addresses with a target email address of my own instead of passing it on >to the victim. > >~Rolan > > > > or........ collect email headers and build your own open proxy list ;-) -=john andrews http://www.seo-fun.com From dmintz at davidmintz.org Thu Sep 22 15:35:44 2005 From: dmintz at davidmintz.org (David Mintz) Date: Thu, 22 Sep 2005 15:35:44 -0400 (EDT) Subject: [nycphp-talk] email injection bot taking a break? In-Reply-To: <2ca9ba910509221040107edfb7@mail.gmail.com> References: <4332D863.6000509@omnistep.com> <4a67dc39050922101758ada2e8@mail.gmail.com> <2ca9ba910509221040107edfb7@mail.gmail.com> Message-ID: On Thu, 22 Sep 2005, Jeff Knight wrote: > Congratulations, that has to be the most asinine and offensive post to this > list in its entire history. > > On 9/22/05, Sol Toure wrote: > > > > It seems to me that the person doing this belongs to this list. Heh. I was gonna say, that's just plain deranged, but you have a point, Jeff. --- David Mintz http://davidmintz.org/ From jsiegel1 at optonline.net Thu Sep 22 16:21:10 2005 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Thu, 22 Sep 2005 16:21:10 -0400 Subject: [nycphp-talk] email injection bot taking a break? In-Reply-To: Message-ID: <0IN800LPYJ7GR8A1@mta10.srv.hcvlny.cv.net> The last time I got hit with it was on the 18th. Jeff -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of David Mintz Sent: Thursday, September 22, 2005 11:04 AM To: talk at lists.nyphp.org Subject: [nycphp-talk] email injection bot taking a break? I was logging and emailing myself every time one of my contact.php pages was being abused by our little friend who inspired the latest Phundie article. It was cranking for a couple weeks, but has lately dropped to zero visits/day. Anybody else observed a similar trend, or am i just lucky? --- David Mintz http://davidmintz.org/ _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From 1j0lkq002 at sneakemail.com Thu Sep 22 17:14:00 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Thu, 22 Sep 2005 14:14:00 -0700 Subject: [nycphp-talk] [OT] if you host on Ev1, back up your servers a.s.a.p. because Rita is coming In-Reply-To: <0IN800LPYJ7GR8A1@mta10.srv.hcvlny.cv.net> References: <0IN800LPYJ7GR8A1@mta10.srv.hcvlny.cv.net> Message-ID: <14911-94623@sneakemail.com> If you are on ev1's service, you may want to backup locally and check preparedness. The current storm is headed pretty close to the ev1 datacenters, and while it seems they are prepared (http://forums.ev1servers.net/showthread.php?t=58244) it might be best to secure your own backups. -=john andrews http://www.seo-fun.com From kenrbnsn at rbnsn.com Thu Sep 22 17:37:47 2005 From: kenrbnsn at rbnsn.com (Ken Robinson) Date: Thu, 22 Sep 2005 17:37:47 -0400 Subject: [nycphp-talk] email injection bot taking a break? In-Reply-To: <0IN800LPYJ7GR8A1@mta10.srv.hcvlny.cv.net> References: <0IN800LPYJ7GR8A1@mta10.srv.hcvlny.cv.net> Message-ID: <6.2.5.4.2.20050922173710.026ace20@rbnsn.com> At 04:21 PM 9/22/2005, Jeff Siegel wrote: >The last time I got hit with it was on the 18th. One of my sites got hit at about 4 AM this morning (9/22/05). Ken From lists at zaunere.com Thu Sep 22 17:46:26 2005 From: lists at zaunere.com (Hans Zaunere) Date: Thu, 22 Sep 2005 17:46:26 -0400 Subject: [nycphp-talk] [OT] if you host on Ev1, back up your servers a.s.a.p. because Rita is coming In-Reply-To: <14911-94623@sneakemail.com> Message-ID: <0MKoyl-1EIYtg1Nfh-0003RO@mrelay.perfora.net> inforequest wrote on Thursday, September 22, 2005 5:14 PM: > If you are on ev1's service, you may want to backup locally and check > preparedness. The current storm is headed pretty close to the ev1 > datacenters, and while it seems they are prepared > (http://forums.ev1servers.net/showthread.php?t=58244) it might be best > to secure your own backups. I also figured Texas would be a pretty safe place to host. Guess it's time to start-up The Montana Hosting Company... land is cheap, but fiber would be at a premium :) H From 1j0lkq002 at sneakemail.com Thu Sep 22 17:56:08 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Thu, 22 Sep 2005 14:56:08 -0700 Subject: [nycphp-talk] [OT] if you host on Ev1, back up your servers a.s.a.p. because Rita is coming In-Reply-To: <0MKoyl-1EIYtg1Nfh-0003RO@mrelay.perfora.net> References: <0MKoyl-1EIYtg1Nfh-0003RO@mrelay.perfora.net> Message-ID: <23112-93362@sneakemail.com> Hans Zaunere lists-at-zaunere.com |nyphp dev/internal group use| wrote: >inforequest wrote on Thursday, September 22, 2005 5:14 PM: > > >>If you are on ev1's service, you may want to backup locally and check >>preparedness. The current storm is headed pretty close to the ev1 >>datacenters, and while it seems they are prepared >>(http://forums.ev1servers.net/showthread.php?t=58244) it might be best >>to secure your own backups. >> >> > >I also figured Texas would be a pretty safe place to host. Guess it's time >to start-up The Montana Hosting Company... land is cheap, but fiber would be >at a premium :) > >H > > San Antonio yes, but Houston? :-) From Consult at CovenantEDesign.com Thu Sep 22 18:09:05 2005 From: Consult at CovenantEDesign.com (CED) Date: Thu, 22 Sep 2005 18:09:05 -0400 Subject: [nycphp-talk] email injection bot taking a break? References: <4332D863.6000509@omnistep.com><4a67dc39050922101758ada2e8@mail.gmail.com> <2ca9ba910509221040107edfb7@mail.gmail.com> Message-ID: <007101c5bfc2$3fda9f20$0319a8c0@ced> Absurd indeed Jeff. Heh ----- Original Message ----- From: Jeff Knight To: NYPHP Talk Sent: Thursday, September 22, 2005 1:40 PM Subject: Re: [nycphp-talk] email injection bot taking a break? Congratulations, that has to be the most asinine and offensive post to this list in its entire history. A number of people take time out of their busy schedules to first alert you to, and then discuss and publish a method to protect you from a current vulnerability, and the best you can do is accuse one of them of causing it? On 9/22/05, Sol Toure wrote: It seems to me that the person doing this belongs to this list. I have seen the first attempt on one of my contact form this week. Or maybe after this thread started someone from the list tried it and that happened to be my site? ------------------------------------------------------------------------------ _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From JoeyD473 at nyc.rr.com Thu Sep 22 19:15:21 2005 From: JoeyD473 at nyc.rr.com (Joey Derrico) Date: Thu, 22 Sep 2005 19:15:21 -0400 Subject: [nycphp-talk] [OT] if you host on Ev1, back up your servers a.s.a.p. because Rita is coming References: <0MKoyl-1EIYtg1Nfh-0003RO@mrelay.perfora.net> Message-ID: <001d01c5bfcb$81b95400$50b1ad44@nyc.rr.com> You should get a server in the area of New York City, more expesive, but virtually no natural disasters (and if one occurs it does little to no damage) Joey Derrico ----- Original Message ----- From: "Hans Zaunere" To: "'NYPHP Talk'" Sent: Thursday, September 22, 2005 5:46 PM Subject: Re: [nycphp-talk] [OT] if you host on Ev1,back up your servers a.s.a.p. because Rita is coming inforequest wrote on Thursday, September 22, 2005 5:14 PM: > If you are on ev1's service, you may want to backup locally and check > preparedness. The current storm is headed pretty close to the ev1 > datacenters, and while it seems they are prepared > (http://forums.ev1servers.net/showthread.php?t=58244) it might be best > to secure your own backups. I also figured Texas would be a pretty safe place to host. Guess it's time to start-up The Montana Hosting Company... land is cheap, but fiber would be at a premium :) H _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From hendler at simmons.edu Thu Sep 22 19:22:04 2005 From: hendler at simmons.edu (Jonathan) Date: Thu, 22 Sep 2005 19:22:04 -0400 Subject: [nycphp-talk] [OT] if you host on Ev1, back up your servers a.s.a.p. because Rita is coming In-Reply-To: <001d01c5bfcb$81b95400$50b1ad44@nyc.rr.com> References: <0MKoyl-1EIYtg1Nfh-0003RO@mrelay.perfora.net> <001d01c5bfcb$81b95400$50b1ad44@nyc.rr.com> Message-ID: <43333C9C.6020306@simmons.edu> If you are considering moving your servers - try an environmentally friendly approach - http://www.solarhost.com/ Hmm - I hope these servers aren't in sunny Texas. I'd rather say "Powered by the Sun" than "Powered by Sun" though. Joey Derrico wrote: >You should get a server in the area of New York City, more expesive, but >virtually no natural disasters (and if one occurs it does little to no >damage) > >Joey Derrico >----- Original Message ----- >From: "Hans Zaunere" >To: "'NYPHP Talk'" >Sent: Thursday, September 22, 2005 5:46 PM >Subject: Re: [nycphp-talk] [OT] if you host on Ev1,back up your servers >a.s.a.p. because Rita is coming > > > > >inforequest wrote on Thursday, September 22, 2005 5:14 PM: > > >>If you are on ev1's service, you may want to backup locally and check >>preparedness. The current storm is headed pretty close to the ev1 >>datacenters, and while it seems they are prepared >>(http://forums.ev1servers.net/showthread.php?t=58244) it might be best >>to secure your own backups. >> >> > >I also figured Texas would be a pretty safe place to host. Guess it's time >to start-up The Montana Hosting Company... land is cheap, but fiber would be >at a premium :) > >H > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > From yournway at gmail.com Thu Sep 22 19:24:33 2005 From: yournway at gmail.com (Alberto dos Santos) Date: Fri, 23 Sep 2005 00:24:33 +0100 Subject: [nycphp-talk] [OT] if you host on Ev1, back up your servers a.s.a.p. because Rita is coming In-Reply-To: <001d01c5bfcb$81b95400$50b1ad44@nyc.rr.com> References: <0MKoyl-1EIYtg1Nfh-0003RO@mrelay.perfora.net> <001d01c5bfcb$81b95400$50b1ad44@nyc.rr.com> Message-ID: Discounting a couple of towers colapsing here and there,of course. Ouch, this was mean, but I couldn't resist it... On 23/09/05, Joey Derrico wrote: > > You should get a server in the area of New York City, more expesive, but > virtually no natural disasters (and if one occurs it does little to no > damage) > > Joey Derrico > ----- Original Message ----- > From: "Hans Zaunere" > To: "'NYPHP Talk'" > Sent: Thursday, September 22, 2005 5:46 PM > Subject: Re: [nycphp-talk] [OT] if you host on Ev1,back up your servers > a.s.a.p. because Rita is coming > > > > > inforequest wrote on Thursday, September 22, 2005 5:14 PM: > > If you are on ev1's service, you may want to backup locally and check > > preparedness. The current storm is headed pretty close to the ev1 > > datacenters, and while it seems they are prepared > > (http://forums.ev1servers.net/showthread.php?t=58244) it might be best > > to secure your own backups. > > I also figured Texas would be a pretty safe place to host. Guess it's time > to start-up The Montana Hosting Company... land is cheap, but fiber would > be > at a premium :) > > H > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Alberto dos Santos Consultor em TI IT Consultant http://www.yournway.com A internet ? sua maneira. The Internet your own way. -------------- next part -------------- An HTML attachment was scrubbed... URL: From chsnyder at gmail.com Thu Sep 22 19:28:21 2005 From: chsnyder at gmail.com (csnyder) Date: Thu, 22 Sep 2005 19:28:21 -0400 Subject: [nycphp-talk] [OT] if you host on Ev1, back up your servers a.s.a.p. because Rita is coming In-Reply-To: <0MKoyl-1EIYtg1Nfh-0003RO@mrelay.perfora.net> References: <14911-94623@sneakemail.com> <0MKoyl-1EIYtg1Nfh-0003RO@mrelay.perfora.net> Message-ID: On 9/22/05, Hans Zaunere wrote: > The Montana Hosting Company... Toronto is the way to go, I think. Plenty of fiber, intelligent workforce, few natural disasters. And you get to pay with Canadian dollars. -- Chris Snyder http://chxo.com/ From 1j0lkq002 at sneakemail.com Fri Sep 23 00:57:03 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Thu, 22 Sep 2005 21:57:03 -0700 Subject: [nycphp-talk] [OT] didn't see it mentioned.. firefox critical vulnerability, new version out as of Wednesday In-Reply-To: References: <14911-94623@sneakemail.com> <0MKoyl-1EIYtg1Nfh-0003RO@mrelay.perfora.net> Message-ID: <9358-73911@sneakemail.com> Only on Linux/Unix, FF 1.0.6 has a backtick shell execution vulnerability. 1.0.7 was released Wednesday. http://secunia.com/advisories/16869/ -=john andrews http://www.seo-fun.com From papillion at gmail.com Fri Sep 23 01:56:45 2005 From: papillion at gmail.com (Anthony Papillion) Date: Fri, 23 Sep 2005 00:56:45 -0500 Subject: [nycphp-talk] Question about obtaining MAC address Message-ID: <5458518f0509222256666071cd@mail.gmail.com> Does anyone know of a reliable way to obtain a site visitors MAC address? I ask because I am creating an application that needs to be very secure and I was thinking about using each users MAC address as the authentication key in addition to a login/password. Thanks! Anthony Papillion Phone: (918) 926-0139 ICQ: 96-698-595 CAN ONE VOICE CHANGE THE WORLD? http://www.one.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From arzala at gmail.com Fri Sep 23 05:27:41 2005 From: arzala at gmail.com (Anirudh Zala) Date: Fri, 23 Sep 2005 14:57:41 +0530 Subject: [nycphp-talk] email injection bot taking a break? In-Reply-To: References: Message-ID: <4333CA8D.7090201@gmail.com> Yeah, some break in strom. Still attackes have not been stopped totally yet but frequency has been lowered down considerably. May be due to actions taken to improve code against such attacks or hacker/crackers himself just wanted to search vulnerable domain to be used for sending emails for some other purpose. We have now enough record of IPs that have been used for such attacks, and my analysis suggest that we received attacks on our many domains from various parts of the world. And the servers used for this malacious purpose belong to schools, universities and some small scale companies. Below, you can see some IPs and contact persons who directly or undirectly connected with control of those servers. I have used http://www.geobytes.com/IpLocator.htm?GetLocation website to track location of these servers and then used WHOIS system to search persons who are directly or indirectly connected to it. 80.82.3.143 netreg at epix.net 205.238.226.40 sr.internet at infocamere.it 212.75.80.242 rolf.carlsson at atlascopco.com 66.199.163.240 eddie at onespeed.com Thanks Anirudh Zala ---------------------------------------------------------------- Anirudh Zala (Production Manager), ASPL, 814-815, Star Plaza, Ph: +91 281 245 1894 Phhulchhab Square, anirudh at aspl.in Rajkot 360001, Gujarat http://www.aspl.in INDIA ---------------------------------------------------------------- David Mintz wrote: >I was logging and emailing myself every time one of my contact.php pages >was being abused by our little friend who inspired the latest Phundie >article. It was cranking for a couple weeks, but has lately dropped to >zero visits/day. > >Anybody else observed a similar trend, or am i just lucky? > > >--- >David Mintz >http://davidmintz.org/ >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at zaunere.com Fri Sep 23 05:42:02 2005 From: lists at zaunere.com (Hans Zaunere) Date: Fri, 23 Sep 2005 05:42:02 -0400 Subject: [nycphp-talk] Question about obtaining MAC address In-Reply-To: <5458518f0509222256666071cd@mail.gmail.com> Message-ID: <0MKp2t-1EIk4C1mQ9-0005jw@mrelay.perfora.net> Hi Anthony, Anthony Papillion wrote on Friday, September 23, 2005 1:57 AM: > Does anyone know of a reliable way to obtain a site visitors MAC > address? I ask because I am creating an application that needs to be > very secure and I was thinking about using each users MAC address as > the authentication key in addition to a login/password. Sorry to say, but that's the wrong strategy for secure authentication. There are a number of reasons, with the top-two being: -- MAC addresses can be spoofed -- you can't capture a MAC address of someone across the Internet. MAC/hardware addresses don't go past a router (level 2 of the network stack, I believe) and thus are only visible on a local LAN. And, if a switch is in place, as is generally the case these days, you'd only see ARP requests for the MAC anyway. The best way to handle security is generally a well constructed username/password strategy. If, however, you have close contact with each user, SSL client/server certs may be a practical secure solution. --- Hans Zaunere / President / New York PHP www.nyphp.org / www.nyphp.com From lists at zaunere.com Fri Sep 23 06:18:54 2005 From: lists at zaunere.com (Hans Zaunere) Date: Fri, 23 Sep 2005 06:18:54 -0400 Subject: [nycphp-talk] Input Filtering In-Reply-To: <20050917223814.GA7988@panix.com> Message-ID: <0MKp2t-1EIkds02qo-0006VT@mrelay.perfora.net> Daniel Convissor wrote on Saturday, September 17, 2005 6:38 PM: > Hey Jeff: > > On Mon, Jul 25, 2005 at 01:00:28PM -0400, Jeff Loiselle wrote: > > Can anyone recommend any good packages for input filtering? > > Check out my Form Solution. Not the end all and be all, but it's > pretty handy. http://www.analysisandsolutions.com/software/form/ Or for true system wide input filtering, there are some developments being discussed: http://files.derickrethans.nl/filter_extension.html http://marc.theaimsgroup.com/?l=php-dev&w=2&r=1&s=input+filtering&q=b And, doesn't this all sound familiar? :) http://lists.nyphp.org/pipermail/talk/2005-July/015639.html Nevertheless, it's a developing area for PHP, and I'll be interested to hear updates from the front lines at Chris' talk next week. --- Hans Zaunere / President / New York PHP www.nyphp.org / www.nyphp.com From lists at zaunere.com Fri Sep 23 06:28:53 2005 From: lists at zaunere.com (Hans Zaunere) Date: Fri, 23 Sep 2005 06:28:53 -0400 Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection In-Reply-To: <432EADFB.8040907@phpwerx.net> Message-ID: <0MKp2t-1EIknW2BEN-0006Gg@mrelay.perfora.net> Dan Cech wrote on Monday, September 19, 2005 8:24 AM: > Jeff & list, > > I believe I managed to avoid weighing into the various debates raging > back and forth in the thread. > > The idea of checking for particular email addresses in the mail logs > does seem pretty naive, especially as they are such a throwaway item > these days. This is absolutely true. However, it is an easy first step to detect the use of this exploit. It's not exhaustive by any means (as only recoding some key input validation code would be), but it can be a first step to catching this early on. > Personally I'm of the opinion that these kinds of forms should require > inputs that are supposed to be email addresses to look like email > addresses. Not only will that remove the possibility of this exploit, > it will also cut down (ever so slightly) on malformed addresses being > sent through to the mail subsystem. Good user feedback for 'invalid' > addresses should allow anyone using the form to 'correct' them, so I > see little point in blindly accepting something that isn't obviously > an email address. > > The other common vulnerable field seems to be the Subject, though I > see very little reason not to restrict that (or any other > non-address) field to something like > /^([-a-z0-9!@#$%^&*()_\[\]{}\\|;:'",.<>\/?+= ]+)$/i, especially > considering the fact that non-ascii characters are usually frowned > upon in email headers. > > Also, correct me if I'm wrong but I believe the %0A encoding is purely > used in the request string, once it gets into PHP it will just see > either \n or \r, the literal string %0A does not pose any risk to > emails as a string itself. The combination of email address checking and subject field checking is one way of preventing this exploit. And of course, it's always a good idea to validate input, and prevent odd characters from entering your runtime environment. However for this particular exploit, it's easy to prevent. It's simply not possible for this exploit to work without the Content-Type: string. Searched for, in a case-insensitive manner, across all submitted form fields, will detect and thrawt this exploit immediately. The only caveat that I've found is when character encoding might be involved. I haven't seen that it's very common, but it's out there: http://www.faqs.org/rfcs/rfc2047.html Does anyone have access to a SMTP server that is known to work with non-ASCII headers for testing? And as an FYI, Wikipedia scores again with an excellent resource on MIME and email from a technical perspective: http://en.wikipedia.org/wiki/MIME --- Hans Zaunere / President / New York PHP www.nyphp.org / www.nyphp.com From lists at zaunere.com Fri Sep 23 06:32:23 2005 From: lists at zaunere.com (Hans Zaunere) Date: Fri, 23 Sep 2005 06:32:23 -0400 Subject: [nycphp-talk] email injection bot taking a break? In-Reply-To: Message-ID: <0MKoyl-1EIkqv19a1-0002Cx@mrelay.perfora.net> David Mintz wrote on Thursday, September 22, 2005 12:04 PM: > I was logging and emailing myself every time one of my contact.php > pages was being abused by our little friend who inspired the latest > Phundie article. It was cranking for a couple weeks, but has lately > dropped to zero visits/day. > > Anybody else observed a similar trend, or am i just lucky? Lucky :) Perhaps there's been a small decline in attempts, but they're still going strong. I'm seeing about two dozen a day across a couple of forms. --- Hans Zaunere / President / New York PHP www.nyphp.org / www.nyphp.com From lists at zaunere.com Fri Sep 23 07:36:56 2005 From: lists at zaunere.com (Hans Zaunere) Date: Fri, 23 Sep 2005 07:36:56 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts?POLISHEDVERSION In-Reply-To: Message-ID: <0MKoyl-1EIlrN2ryD-0004IS@mrelay.perfora.net> matthijs abeelen scribbled on Thursday, September 15, 2005 2:04 AM: > This problem is spreading very fast, a good summery of the best > solution(s) is needed indeed. Unfortunately, I'm not the one who can > do that. Waiting eagerly for the article on Phundamentals! > > "We're working on getting a Phundamentals article online covering the > discussion over the last couple of days. Thanks Roland and everyone > for their feedback and discussion." We're working on it. And I've attached what a first stab at a PHP 5 class would look like, with example usage here: $MyMail = new MailProtect; $MyMail->SetFrom($_POST['From']); $MyMail->SetTo($_POST['To']); $MyMail->SetCc('admin at somwhere.com'); $MyMail->SetSubject($_POST['Subject']); $MyMail->SetBody('Thank you for your submission!'); if( $MyMail->SendMail() === TRUE ) echo 'Mail Sent'; else echo 'WARNING: Header validation failed; possible exploitation attempt'; Feel free to play around with the code, but I've never executed it, so there might even be a parse error, or it might just not work, and obviously more could be added or extended to it. So consider that my disclaimer :) --- Hans Zaunere / President / New York PHP www.nyphp.org / www.nyphp.com -------------- next part -------------- A non-text attachment was scrubbed... Name: MailProtect.inc Type: application/octet-stream Size: 2141 bytes Desc: not available URL: From hans.zaunere at nyphp.com Fri Sep 23 09:05:27 2005 From: hans.zaunere at nyphp.com (Hans Zaunere) Date: Fri, 23 Sep 2005 09:05:27 -0400 Subject: [nycphp-talk] Google TV Message-ID: <0MKp2t-1EInF30om5-0002Uw@mrelay.perfora.net> Good morning, Wasn't aware of this until I was flipping around cable the other night. http://google.blognewschannel.com/index.php/archives/2005/04/04/google-comin g-to-a-tv-near-you/ --- Hans Zaunere / President / New York PHP www.nyphp.org / www.nyphp.com From dmintz at davidmintz.org Fri Sep 23 12:24:37 2005 From: dmintz at davidmintz.org (David Mintz) Date: Fri, 23 Sep 2005 12:24:37 -0400 (EDT) Subject: [nycphp-talk] [OT] if you host on Ev1, back up your servers a.s.a.p. because Rita is coming In-Reply-To: References: <14911-94623@sneakemail.com> <0MKoyl-1EIYtg1Nfh-0003RO@mrelay.perfora.net> Message-ID: On Thu, 22 Sep 2005, csnyder wrote: > On 9/22/05, Hans Zaunere wrote: > > The Montana Hosting Company... > > Toronto is the way to go, I think. Plenty of fiber, intelligent > workforce, few natural disasters. And you get to pay with Canadian > dollars. > You outsourcer, you... (-: --- David Mintz http://davidmintz.org/ From dmintz at davidmintz.org Fri Sep 23 12:34:37 2005 From: dmintz at davidmintz.org (David Mintz) Date: Fri, 23 Sep 2005 12:34:37 -0400 (EDT) Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection In-Reply-To: <0MKp2t-1EIknW2BEN-0006Gg@mrelay.perfora.net> References: <0MKp2t-1EIknW2BEN-0006Gg@mrelay.perfora.net> Message-ID: On Fri, 23 Sep 2005, Hans Zaunere wrote: > > However for this particular exploit, it's easy to prevent. It's simply not > possible for this exploit to work without the Content-Type: string. > Searched for, in a case-insensitive manner, across all submitted form > fields, will detect and thrawt this exploit immediately. > Yes, and I gratefully borrowed your snippet to tighten up a couple of my own scripts. The only conceivable drawback is that if user input is destined to become the message body -- a textarea for the user to type a message -- and for some reason the user legitimately wants to say something like "Have you guys heard about the Content-type: attack?" Granted, it's unusual, but still... Kind of like the caveat against training Spamassassin with ham that discusses spam. --- David Mintz http://davidmintz.org/ From kenrbnsn at rbnsn.com Fri Sep 23 13:38:00 2005 From: kenrbnsn at rbnsn.com (Ken Robinson) Date: Fri, 23 Sep 2005 13:38:00 -0400 Subject: [nycphp-talk] email injection bot taking a break? In-Reply-To: <0MKoyl-1EIkqv19a1-0002Cx@mrelay.perfora.net> References: <0MKoyl-1EIkqv19a1-0002Cx@mrelay.perfora.net> Message-ID: <6.2.5.4.2.20050923133203.05ab5040@rbnsn.com> At 06:32 AM 9/23/2005, Hans Zaunere wrote: >Perhaps there's been a small decline in attempts, but they're still going >strong. I'm seeing about two dozen a day across a couple of forms. Just got a bunch of attempts from "Remote Address:202.101.173.68". Ken I From scott at crisscott.com Fri Sep 23 13:43:38 2005 From: scott at crisscott.com (Scott Mattocks) Date: Fri, 23 Sep 2005 13:43:38 -0400 Subject: [nycphp-talk] email injection bot taking a break? In-Reply-To: <6.2.5.4.2.20050923133203.05ab5040@rbnsn.com> References: <0MKoyl-1EIkqv19a1-0002Cx@mrelay.perfora.net> <6.2.5.4.2.20050923133203.05ab5040@rbnsn.com> Message-ID: <43343ECA.9000701@crisscott.com> Ken Robinson wrote: > At 06:32 AM 9/23/2005, Hans Zaunere wrote: > >>Perhaps there's been a small decline in attempts, but they're still going >>strong. I'm seeing about two dozen a day across a couple of forms. > > > Just got a bunch of attempts from "Remote Address:202.101.173.68". A quick whois check puts that address somewhere in the Zhejiang province of China. While not impossible, I am guessing that the perpetrator is not a member of this list. Scott From rolan at omnistep.com Fri Sep 23 14:15:25 2005 From: rolan at omnistep.com (Rolan Yang) Date: Fri, 23 Sep 2005 14:15:25 -0400 Subject: [nycphp-talk] email injection bot taking a break? In-Reply-To: <6.2.5.4.2.20050923133203.05ab5040@rbnsn.com> References: <0MKoyl-1EIkqv19a1-0002Cx@mrelay.perfora.net> <6.2.5.4.2.20050923133203.05ab5040@rbnsn.com> Message-ID: <4334463D.8090108@omnistep.com> I have received hundreds of them from all over the world. Blocking ip's is even more futile than filtering mail server logs with a list of known emails. Ken Robinson wrote: >At 06:32 AM 9/23/2005, Hans Zaunere wrote: > > >>Perhaps there's been a small decline in attempts, but they're still going >>strong. I'm seeing about two dozen a day across a couple of forms. >> >> > >Just got a bunch of attempts from "Remote Address:202.101.173.68". > >Ken > > > From jsiegel1 at optonline.net Fri Sep 23 14:36:07 2005 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Fri, 23 Sep 2005 14:36:07 -0400 Subject: [nycphp-talk] email injection bot taking a break? In-Reply-To: <4334463D.8090108@omnistep.com> Message-ID: <0INA00LUR90E5J30@mta4.srv.hcvlny.cv.net> The attempts that I had caught came from XO communications here in the U.S. and from Poland. Jeff -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Rolan Yang Sent: Friday, September 23, 2005 1:15 PM To: NYPHP Talk Subject: Re: [nycphp-talk] email injection bot taking a break? I have received hundreds of them from all over the world. Blocking ip's is even more futile than filtering mail server logs with a list of known emails. Ken Robinson wrote: >At 06:32 AM 9/23/2005, Hans Zaunere wrote: > > >>Perhaps there's been a small decline in attempts, but they're still going >>strong. I'm seeing about two dozen a day across a couple of forms. >> >> > >Just got a bunch of attempts from "Remote Address:202.101.173.68". > >Ken > > > _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From 1j0lkq002 at sneakemail.com Fri Sep 23 17:11:00 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Fri, 23 Sep 2005 14:11:00 -0700 Subject: [nycphp-talk] Geoselect alternatives? In-Reply-To: <4333CA8D.7090201@gmail.com> References: <4333CA8D.7090201@gmail.com> Message-ID: <23118-60644@sneakemail.com> (just goes to show how a mention on the NYPHP list gets a product immediate attention!) I checked out Geoselect.com for their geo-location service and it looks good. Nice package, and great presentation, and very considerate $49 developer license. I currently work with Tigerline via custom code, but I would very much prefer to let a company maintain this portion (exactly like Geoselect purports to). However, it is to expensive for multiple very high traffic sites. I also would ant code access to insert open proxy checks and such. What open source options are there to do what GeoSelect does? (resolve IP to City, State, Country, Lat, Long) server side in meory, with caching, perhaps placing the values in server vars like GeoSelect does? Maybe there is not yet a comprehensive (quality) IP to Geo database being maintained open source? Thanks for any help. -=john andrews http://www.seo-fun.com From 1j0lkq002 at sneakemail.com Fri Sep 23 17:43:58 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Fri, 23 Sep 2005 14:43:58 -0700 Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection In-Reply-To: References: <0MKp2t-1EIknW2BEN-0006Gg@mrelay.perfora.net> Message-ID: <6557-14800@sneakemail.com> David Mintz dmintz-at-davidmintz.org |nyphp dev/internal group use| wrote: >On Fri, 23 Sep 2005, Hans Zaunere wrote: > > > >>However for this particular exploit, it's easy to prevent. It's simply not >>possible for this exploit to work without the Content-Type: string. >>Searched for, in a case-insensitive manner, across all submitted form >>fields, will detect and thrawt this exploit immediately. >> >> >> > >Yes, and I gratefully borrowed your snippet to tighten up a couple of my >own scripts. The only conceivable drawback is that if user input is >destined to become the message body -- a textarea for the user >to type a message -- and for some reason the user legitimately wants to >say something like "Have you guys heard about the Content-type: >attack?" Granted, it's unusual, but still... Kind of like the caveat >against training Spamassassin with ham that discusses spam. > >--- >David Mintz >http://davidmintz.org/ > > You might consider an old SEO trick and just swap in an invalid version of thet string, that still makes sense to the reader. Perhaps relacing "Content-type:" with "Content-type (colon)" for example, leaves it in the text but not functional. -=john andrews http://www.seo-fun.com From lists at zaunere.com Fri Sep 23 19:33:38 2005 From: lists at zaunere.com (Hans Zaunere) Date: Fri, 23 Sep 2005 19:33:38 -0400 Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection In-Reply-To: <6557-14800@sneakemail.com> Message-ID: <0MKoyl-1EIx2y2oN1-0002rh@mrelay.perfora.net> inforequest wrote on Friday, September 23, 2005 5:44 PM: > David Mintz dmintz-at-davidmintz.org |nyphp dev/internal group use| > wrote: > > > On Fri, 23 Sep 2005, Hans Zaunere wrote: > > > > > > > > > However for this particular exploit, it's easy to prevent. It's > > > simply not possible for this exploit to work without the > > > Content-Type: string. Searched for, in a case-insensitive manner, > > > across all submitted form fields, will detect and thrawt this > > > exploit immediately. > > > > > > > > > > > > > Yes, and I gratefully borrowed your snippet to tighten up a couple > > of my own scripts. The only conceivable drawback is that if user > > input is destined to become the message body -- a textarea for the > > user > > to type a message -- and for some reason the user legitimately > > wants to say something like "Have you guys heard about the > > Content-type: attack?" Granted, it's unusual, but still... Kind of > > like the caveat against training Spamassassin with ham that > > discusses spam. The small snippet does check every submitted form field, so this could be an issue, albeit in the years-of-web-development-never-seen-this-as-a-problem department. The other side of this, however, is the MailProtect.inc class I posted earlier. It only check header fields, which is the area of concern. A Content-Type: in the body isn't a problem in this case, so MailProtect.inc (anyone played with it yet?) would be the better solution. > You might consider an old SEO trick and just swap in an invalid version > of thet string, that still makes sense to the reader. Perhaps relacing > > "Content-type:" with "Content-type (colon)" for example, leaves it in > the text but not functional. And that would solve it, assuming the first bit of code. --- Hans Zaunere / President / New York PHP www.nyphp.org / www.nyphp.com From shiflett at php.net Sat Sep 24 00:17:32 2005 From: shiflett at php.net (Chris Shiflett) Date: Sat, 24 Sep 2005 00:17:32 -0400 Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection In-Reply-To: References: <0MKp2t-1EIknW2BEN-0006Gg@mrelay.perfora.net> Message-ID: <4334D35C.3020401@php.net> David Mintz wrote: > The only conceivable drawback is that if user input is destined to > become the message body -- a textarea for the user to type a > message -- and for some reason the user legitimately wants to say > something like "Have you guys heard about the Content-type: > attack?" Granted, it's unusual It just happened. :-) Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From andrew at plexpod.com Sat Sep 24 00:30:22 2005 From: andrew at plexpod.com (Andrew Yochum) Date: Sat, 24 Sep 2005 00:30:22 -0400 Subject: [nycphp-talk] Geoselect alternatives? In-Reply-To: <23118-60644@sneakemail.com> References: <4333CA8D.7090201@gmail.com> <23118-60644@sneakemail.com> Message-ID: <20050924043021.GA15749@desario.homelinux.net> John, On Fri, Sep 23, 2005 at 02:11:00PM -0700, inforequest wrote: > What open source options are there to do what GeoSelect does? (resolve > IP to City, State, Country, Lat, Long) server side in meory, with > caching, perhaps placing the values in server vars like GeoSelect does? > Maybe there is not yet a comprehensive (quality) IP to Geo database > being maintained open source? There wasn't that I was aware of until poking around a bit tonight... I've used the perl Geo::IPfree module in the past, but can't speak to the data's thoroughness or quality. I was interested in rough aggregate quick and dirty stats at the time (a while back now), and I got this one working very quickly. It only does IP->Country stuff, so not really what you want. http://search.cpan.org/~gmpassos/Geo-IPfree-0.2/lib/Geo/IPfree.pm There are also seem various methods of accessing the freely available MaxMind from within PHP now. http://www.maxmind.com/app/php http://www.maxmind.com/geoip/api/c.shtml http://www.maxmind.com/download/geoip/database/ Also, only IP->Country - at least, in open source, that is. Including their PEAR package for PHP 5 that seems to allow you to use their commercial DB for more granular data: http://pear.php.net/pepr/pepr-proposal-show.php?id=91 And in looking at that stuff just now I noticed right next door to it in PEAR is the Net_Geo PEAR package which seems to maybe do just what you want using CAIDA database: http://pear.php.net/package/Net_Geo/ http://www.caida.org/ I just played around with it a bit and found it very easy to use, and reasonably accurate in locating a few IPs I threw at it. It tells you the granularity of the result, too. It makes a remote HTTP request to a CGI on the CAIDA site and caches the results. Uncached queries certainly lag a bit. It could do the trick depending on your needs. HTH, Andrew -- Andrew Yochum Plexpod andrew at plexpod.com 718-360-0879 From shiflett at php.net Sat Sep 24 01:40:08 2005 From: shiflett at php.net (Chris Shiflett) Date: Sat, 24 Sep 2005 01:40:08 -0400 Subject: [nycphp-talk] Geoselect alternatives? In-Reply-To: <20050924043021.GA15749@desario.homelinux.net> References: <4333CA8D.7090201@gmail.com> <23118-60644@sneakemail.com> <20050924043021.GA15749@desario.homelinux.net> Message-ID: <4334E6B8.4040309@php.net> Andrew Yochum wrote: > There are also seem various methods of accessing the freely available > MaxMind from within PHP now. I've used this with great success for some pretty busy work (more than 10 million lookups a day). If your needs are more demanding, I think they also have an Apache module. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From andrew at plexpod.com Sat Sep 24 06:38:34 2005 From: andrew at plexpod.com (Andrew Yochum) Date: Sat, 24 Sep 2005 06:38:34 -0400 Subject: [nycphp-talk] Geoselect alternatives? In-Reply-To: <4334E6B8.4040309@php.net> References: <4333CA8D.7090201@gmail.com> <23118-60644@sneakemail.com> <20050924043021.GA15749@desario.homelinux.net> <4334E6B8.4040309@php.net> Message-ID: <20050924103832.GD15749@desario.homelinux.net> On Sat, Sep 24, 2005 at 01:40:08AM -0400, Chris Shiflett wrote: > Andrew Yochum wrote: > > There are also seem various methods of accessing the freely available > > MaxMind from within PHP now. > > I've used this with great success for some pretty busy work (more than > 10 million lookups a day). If your needs are more demanding, I think > they also have an Apache module. Just curious... Were you using the free "country" database or the commercial db w/ city level data? Andrew -- Andrew Yochum Plexpod andrew at plexpod.com 718-360-0879 From jeff.siegel at nyphp.org Sat Sep 24 16:42:50 2005 From: jeff.siegel at nyphp.org (Jeff Siegel) Date: Sat, 24 Sep 2005 16:42:50 -0400 Subject: [nycphp-talk] Phundamental: Email Header Injection Exploit - Revised Message-ID: <0INC00C079JOM3D0@mta3.srv.hcvlny.cv.net> An extensively revised PHundamental has been posted. As always, comments and suggestions are welcome. See: http://www.nyphp.org/phundamentals/email_header_injection.php Jeff Siegel NYPHP PHundamentals From 1j0lkq002 at sneakemail.com Sat Sep 24 17:15:13 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Sat, 24 Sep 2005 14:15:13 -0700 Subject: [nycphp-talk] Geoselect alternatives? In-Reply-To: <20050924043021.GA15749@desario.homelinux.net> References: <4333CA8D.7090201@gmail.com> <23118-60644@sneakemail.com> <20050924043021.GA15749@desario.homelinux.net> Message-ID: <14305-63499@sneakemail.com> Andrew Yochum andrew-at-plexpod.com |nyphp dev/internal group use| wrote: >John, > >On Fri, Sep 23, 2005 at 02:11:00PM -0700, inforequest wrote: > > >>What open source options are there to do what GeoSelect does? (resolve >>IP to City, State, Country, Lat, Long) server side in meory, with >>caching, perhaps placing the values in server vars like GeoSelect does? >>Maybe there is not yet a comprehensive (quality) IP to Geo database >>being maintained open source? >> >> > >There wasn't that I was aware of until poking around a bit tonight... > >I've used the perl Geo::IPfree module in the past, but can't speak to >the data's thoroughness or quality. I was interested in rough aggregate >quick and dirty stats at the time (a while back now), and I got this one >working very quickly. It only does IP->Country stuff, so not really >what you want. > http://search.cpan.org/~gmpassos/Geo-IPfree-0.2/lib/Geo/IPfree.pm > >There are also seem various methods of accessing the freely available >MaxMind from within PHP now. > http://www.maxmind.com/app/php > http://www.maxmind.com/geoip/api/c.shtml > http://www.maxmind.com/download/geoip/database/ >Also, only IP->Country - at least, in open source, that is. Including >their PEAR package for PHP 5 that seems to allow you to use their >commercial DB for more granular data: > http://pear.php.net/pepr/pepr-proposal-show.php?id=91 > >And in looking at that stuff just now I noticed right next door to it in >PEAR is the Net_Geo PEAR package which seems to maybe do just what you >want using CAIDA database: > http://pear.php.net/package/Net_Geo/ > http://www.caida.org/ >I just played around with it a bit and found it very easy to use, and >reasonably accurate in locating a few IPs I threw at it. It tells you >the granularity of the result, too. It makes a remote HTTP request to a >CGI on the CAIDA site and caches the results. Uncached queries >certainly lag a bit. It could do the trick depending on your needs. > >HTH, >Andrew > > thanks Andrew. I know maxmind from MaxMedia, but not using city yet (and not stable yet).I'll look a the PHP interfaces now. CAIDA site says "*NOTE: NetGeo has not been actively maintained for /several years/, and this will probably not change in the foreseeable future. As a result, there are several known major issues affecting accuracy and service availability. Please be warned that NetGeo may give /wildly incorrect/ results, especially for recently allocated or re-assigned IP addresses." It fails to an ARIN Whois lookup also... -=john andrews http://www.seo-fun.com * From shiflett at php.net Sat Sep 24 23:51:43 2005 From: shiflett at php.net (Chris Shiflett) Date: Sat, 24 Sep 2005 23:51:43 -0400 Subject: [nycphp-talk] Geoselect alternatives? In-Reply-To: <20050924103832.GD15749@desario.homelinux.net> References: <4333CA8D.7090201@gmail.com> <23118-60644@sneakemail.com> <20050924043021.GA15749@desario.homelinux.net> <4334E6B8.4040309@php.net> <20050924103832.GD15749@desario.homelinux.net> Message-ID: <43361ECF.8030002@php.net> Andrew Yochum wrote: > Just curious... Were you using the free "country" database > or the commercial db w/ city level data? Just the free one. It had trouble with some stuff (most of the problem areas are known and supposedly addressed in the non-free versions), but we found it to be fast enough to fit our needs and accurate enough to be useful. What originally caught my eye when we were searching around: 1. MySQL AB was using it. 2. Jim Winstead wrote the PHP library for it. 3. It was free. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ From andrew at plexpod.com Sun Sep 25 08:26:52 2005 From: andrew at plexpod.com (Andrew Yochum) Date: Sun, 25 Sep 2005 08:26:52 -0400 Subject: [nycphp-talk] Geoselect alternatives? In-Reply-To: <14305-63499@sneakemail.com> References: <4333CA8D.7090201@gmail.com> <23118-60644@sneakemail.com> <20050924043021.GA15749@desario.homelinux.net> <14305-63499@sneakemail.com> Message-ID: <20050925122650.GG15749@desario.homelinux.net> On Sat, Sep 24, 2005 at 02:15:13PM -0700, inforequest wrote: > CAIDA site says "*NOTE: NetGeo has not been actively maintained for > /several years/, and this will probably not change in the foreseeable > future. As a result, there are several known major issues affecting > accuracy and service availability. Please be warned that NetGeo may give > /wildly incorrect/ results, especially for recently allocated or > re-assigned IP addresses." > > It fails to an ARIN Whois lookup also... Good sleuthing. Thanks for the info. Andrew -- Andrew Yochum Plexpod andrew at plexpod.com 718-360-0879 From hans at cyberxdesigns.com Mon Sep 26 09:55:53 2005 From: hans at cyberxdesigns.com (Hans C. Kaspersetz) Date: Mon, 26 Sep 2005 09:55:53 -0400 Subject: [nycphp-talk] August Presentation Posted Message-ID: <4337FDE9.5000009@cyberxdesigns.com> From the better late then never department, we have posted the August presentation, audio and photos. Presentation: http://www.nyphp.org/content/presentations/index.php Audio: http://www.nyphp.org/content/mp3/nyphp082305.mp3 Photos: http://www.nyphp.org/content/gallery/view_album.php?set_albumName=aug05 Your humble presentation lacky, Hans Kaspersetz hans.kaspersetz at nyphp.org http://www.cyberxdesigns.com ----------------------------------- Presentation Blurb ----------------------------------- Internal NYPHP Presentation, August 22, 2005 Tools for Writing Better Code-Part 1 It's August, it's hot and everyone is either on vacation or too delusional from the heat to get any serious work done - including us, considering how long it took us to post this! What better opportunity to present the first part of our long awaited series on writing better PHP code. Join the New York PHP core developers as we present some of the tools we use to enhance the single or multi-developer environment. President Hans Zaunere will present on using Windows XP to development remotely with Eclipse / PHP and Subversion (.PPT). Exposing concepts such as how to get Windows to talk to a remote Webdav / Subversion server, and brief examples of the improved workflow, this is sure to improve your development with the Windows client. Vice President Jeff Knight and Core Developer Andrew Yochum will team up to explore why Subversion is an excellent choice for Version and Source Control, and the choice internally at New York PHP. Further they will demonstrate how Subversion can be used to manage multiple projects and developers as well as development and production environments. With any time left over, we'd like to offer the opportunity to bring the Talk list face to face. Come prepared with your questions / problems and solutions and we'll open up the floor to discuss your topics. From codebowl at gmail.com Mon Sep 26 19:57:45 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Mon, 26 Sep 2005 19:57:45 -0400 Subject: [nycphp-talk] Zend Debugger Message-ID: <8d9a42800509261657407b9a3f@mail.gmail.com> I am trying out the beta of zend studio, i am trying to run the studio server debugger, when i login to the studio server web interface i get errors about the ini_modifier, so i executed from the command line and i get the error that the ini directory is not writable, my question is where is this ini directory?? -- Joseph Crawford Jr. Zend Certified Engineer Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From mikko.rantalainen at peda.net Tue Sep 27 08:03:44 2005 From: mikko.rantalainen at peda.net (Mikko Rantalainen) Date: Tue, 27 Sep 2005 15:03:44 +0300 Subject: [nycphp-talk] worm/virus's hammering feedback scripts?POLISHEDVERSION In-Reply-To: <0MKoyl-1EIlrN2ryD-0004IS@mrelay.perfora.net> References: <0MKoyl-1EIlrN2ryD-0004IS@mrelay.perfora.net> Message-ID: <43393520.3050600@peda.net> Hans Zaunere wrote: > matthijs abeelen scribbled on Thursday, September 15, 2005 2:04 AM: > >>This problem is spreading very fast, a good summery of the best >>solution(s) is needed indeed. Unfortunately, I'm not the one who can >>do that. Waiting eagerly for the article on Phundamentals! > > We're working on it. > > And I've attached what a first stab at a PHP 5 class would look like, with > example usage here: > > $MyMail = new MailProtect; > $MyMail->SetFrom($_POST['From']); > $MyMail->SetTo($_POST['To']); > $MyMail->SetCc('admin at somwhere.com'); > $MyMail->SetSubject($_POST['Subject']); > $MyMail->SetBody('Thank you for your submission!'); > > if( $MyMail->SendMail() === TRUE ) > echo 'Mail Sent'; > else > echo 'WARNING: Header validation failed; possible exploitation attempt'; How about $MyMail->addTo(...); $MyMail->addCc(...); $MyMail->addBcc(...); instead of setXXX() variants? From, Subject and Body always have exactly one value but To, Cc and Bcc fields can contain multiple items. If the protecting wrapper class forces one to add a single recipient at a time misuse of these fields is a bit harder by mistake. Also, I'd prefer those methods to accept two parameters instead of just one. For example, function addTo($email,$display_name="") {...} So that user of this class never needs to encode any special characters or merge display name and email in the same string. I'd add $MyMail->addHeader($name,$value) for adding a single additional header too. -- Mikko From dcech at phpwerx.net Tue Sep 27 08:13:01 2005 From: dcech at phpwerx.net (Dan Cech) Date: Tue, 27 Sep 2005 08:13:01 -0400 Subject: [nycphp-talk] worm/virus's hammering feedback scripts?POLISHEDVERSION In-Reply-To: <43393520.3050600@peda.net> References: <0MKoyl-1EIlrN2ryD-0004IS@mrelay.perfora.net> <43393520.3050600@peda.net> Message-ID: <4339374D.4000107@phpwerx.net> I'd advise checking out phpmailer (http://phpmailer.sourceforge.net/). I haven't had a chance to look into it from a security perspective, but it does support almost every feature you could desire for sending email. If there are security issues then I would suggest working on securing this existing and very mature product rather than rolling your own. Also, it is released under the LGPL so using it in commercial applications should not be a problem. Dan Mikko Rantalainen wrote: > Hans Zaunere wrote: > >>matthijs abeelen scribbled on Thursday, September 15, 2005 2:04 AM: >> >> >>>This problem is spreading very fast, a good summery of the best >>>solution(s) is needed indeed. Unfortunately, I'm not the one who can >>>do that. Waiting eagerly for the article on Phundamentals! >> >>We're working on it. >> >>And I've attached what a first stab at a PHP 5 class would look like, with >>example usage here: >> >>$MyMail = new MailProtect; >>$MyMail->SetFrom($_POST['From']); >>$MyMail->SetTo($_POST['To']); >>$MyMail->SetCc('admin at somwhere.com'); >>$MyMail->SetSubject($_POST['Subject']); >>$MyMail->SetBody('Thank you for your submission!'); >> >>if( $MyMail->SendMail() === TRUE ) >> echo 'Mail Sent'; >>else >> echo 'WARNING: Header validation failed; possible exploitation attempt'; > > > How about > > $MyMail->addTo(...); > $MyMail->addCc(...); > $MyMail->addBcc(...); > > instead of setXXX() variants? From, Subject and Body always have > exactly one value but To, Cc and Bcc fields can contain multiple > items. If the protecting wrapper class forces one to add a single > recipient at a time misuse of these fields is a bit harder by mistake. > > Also, I'd prefer those methods to accept two parameters instead of > just one. For example, > > function addTo($email,$display_name="") {...} > > So that user of this class never needs to encode any special > characters or merge display name and email in the same string. > > I'd add $MyMail->addHeader($name,$value) for adding a single > additional header too. > From mwithington at PLMresearch.com Tue Sep 27 17:04:49 2005 From: mwithington at PLMresearch.com (Mark Withington) Date: Tue, 27 Sep 2005 17:04:49 -0400 Subject: [nycphp-talk] Project management solutions Message-ID: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE3580135531C@network.PLMresearch.com> I'm on the front-end of a research project to locate "good" PHP project management solutions. So far I've identified the following candidates. Does anyone have experience with PHProjekt http://www.phprojekt.com/ DOTproject http://www.dotproject.net/ Netoffice http://netoffice.sourceforge.net TUTOS http://www.tutos.org more.groupware http://mgw.k-fish.de/ phpGroupWare http://www.phpgroupware.org/ Any ones that I've missed? Thanks in advance, Mark -------------------------- Mark L. Withington PLMresearch "eBusiness for the Midsize Enterprise" PO Box 1354 Plymouth, MA 02362 o: 800-310-3992 ext. 704 f: 508-746-4973 v: 508-746-2383 m: 508-801-0181 http://www.PLMresearch.com AIM/MSN/Skype: PLMresearch Yahoo: PLMresearch2000 mwithington at plmresearch.com Public Key: http://www.plmresearch.com/keys/MLW_public_key.asc Calendar: http://www.plmresearch.com/calendar.php From matt at jiffycomp.com Tue Sep 27 21:27:49 2005 From: matt at jiffycomp.com (Matt Morgan) Date: Tue, 27 Sep 2005 21:27:49 -0400 Subject: [nycphp-talk] Project management solutions In-Reply-To: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE3580135531C@network.PLMresearch.com> References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE3580135531C@network.PLMresearch.com> Message-ID: <4339F195.2010307@jiffycomp.com> Mark Withington wrote: >I'm on the front-end of a research project to locate "good" PHP project >management solutions. So far I've identified the following candidates. >Does anyone have experience with > >PHProjekt http://www.phprojekt.com/ >DOTproject http://www.dotproject.net/ >Netoffice http://netoffice.sourceforge.net >TUTOS http://www.tutos.org >more.groupware http://mgw.k-fish.de/ >phpGroupWare http://www.phpgroupware.org/ > >Any ones that I've missed? > > Last I checked, which was about 9 months ago, eGroupware was not so strong in project management but they have a new version coming out soon that will have it. Otherwise, they're a feature-rich and pretty well-supported php groupware package (http://egroupware.org). From andrew at plexpod.com Tue Sep 27 22:45:51 2005 From: andrew at plexpod.com (Andrew Yochum) Date: Tue, 27 Sep 2005 22:45:51 -0400 Subject: [nycphp-talk] Project management solutions In-Reply-To: <4339F195.2010307@jiffycomp.com> References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE3580135531C@network.PLMresearch.com> <4339F195.2010307@jiffycomp.com> Message-ID: <20050928024551.GY15749@desario.homelinux.net> On Tue, Sep 27, 2005 at 09:27:49PM -0400, Matt Morgan wrote: > Last I checked, which was about 9 months ago, eGroupware was not so > strong in project management but they have a new version coming out soon > that will have it. Otherwise, they're a feature-rich and pretty > well-supported php groupware package (http://egroupware.org). FWIW, there is also Kontact support in eGroupware for you Linux desktop users: http://www.kontact.org/groupwareservers.php Not PM per-se stuff, but certainly a valuable feature. Andrew -- Andrew Yochum Plexpod andrew at plexpod.com 718-360-0879 From greg.rundlett at gmail.com Tue Sep 27 22:47:15 2005 From: greg.rundlett at gmail.com (Greg Rundlett) Date: Tue, 27 Sep 2005 22:47:15 -0400 Subject: [nycphp-talk] [Bostonphptalk] Project management solutions In-Reply-To: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE3580135531C@network.PLMresearch.com> References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE3580135531C@network.PLMresearch.com> Message-ID: <5e2aaca405092719477f03e2ad@mail.gmail.com> On 9/27/05, Mark Withington wrote: > > I'm on the front-end of a research project to locate "good" PHP project > management solutions. So far I've identified the following candidates. > Does anyone have experience with There is BaseCamp[1], which is a hosted solution so I don't think you can get the code. When I created the Virtual Incubator[2], I used a project called OPT[3], which works very well and is focused on project management (not other 'groupware' stuff) but unfortunately it's not actively maintained, and there may be known security vulnerabilities so if you want to put it into production you may have to track those down. One plus is that Guy Davis added CVS integration to it. [1] http://basecamphq.com/ [2] http://nhvbi.buzgate.org/opt/index.php [3] http://www.guydavis.ca/projects/oss/opt/index.jsp and the sourceforge.net project page. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sreegchn at gmail.com Wed Sep 28 05:07:41 2005 From: sreegchn at gmail.com (Sreenath G) Date: Wed, 28 Sep 2005 14:37:41 +0530 Subject: [nycphp-talk] Free PHP Webspace Message-ID: <9bd933520509280207275444e2@mail.gmail.com> Hi all, Can anyone tell me a good site offering 50-100MB(or more) Free Webspace with PHP and MySQL. -- regards Sreenath.G -------------- next part -------------- An HTML attachment was scrubbed... URL: From codebowl at gmail.com Wed Sep 28 08:48:49 2005 From: codebowl at gmail.com (Joseph Crawford) Date: Wed, 28 Sep 2005 08:48:49 -0400 Subject: [nycphp-talk] Free PHP Webspace In-Reply-To: <9bd933520509280207275444e2@mail.gmail.com> References: <9bd933520509280207275444e2@mail.gmail.com> Message-ID: <8d9a428005092805487dbf2e78@mail.gmail.com> last i knew .Geek was a good place, i am not sure if they are still offering it but they did when PHP5 was first released. www.dotgeek.org other than that, check google, i am sure there are many other sites that offer free space with banner ad's etc.. lunarpages has a cheap package i think it's $7/mo if you can manage that. -- Joseph Crawford Jr. Zend Certified Engineer Codebowl Solutions, Inc. 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From Consult at CovenantEDesign.com Wed Sep 28 08:54:31 2005 From: Consult at CovenantEDesign.com (CED) Date: Wed, 28 Sep 2005 08:54:31 -0400 Subject: [nycphp-talk] Free PHP Webspace References: <9bd933520509280207275444e2@mail.gmail.com> Message-ID: <01a701c5c42b$c538d0c0$0319a8c0@ced> My desktop. =D ----- Original Message ----- From: Sreenath G To: NYPHP Talk Sent: Wednesday, September 28, 2005 5:07 AM Subject: [nycphp-talk] Free PHP Webspace Hi all, Can anyone tell me a good site offering 50-100MB(or more) Free Webspace with PHP and MySQL. -- regards Sreenath.G ------------------------------------------------------------------------------ _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From aaron at aarond.com Wed Sep 28 12:57:57 2005 From: aaron at aarond.com (aaron at aarond.com) Date: Wed, 28 Sep 2005 12:57:57 -0400 Subject: [nycphp-talk] Audubon Flash/PHP Map Message-ID: <20050928125757.c36byl6sdlkkcs44@208.179.130.20> Hey guys, I could use some feedback on this page. It's a flash/php/oracle app that dynamically plots points on a map based on long/lat info for each contact in the db. It may be a little slow loading, but if it's REALLY slow please let me know. (A co-worker of mine developed the app, I just helped out on a few small items and feedback) http://www.audubon.org/states/flashMap.php Thanks!! Aaron D. From yournway at gmail.com Wed Sep 28 13:19:38 2005 From: yournway at gmail.com (Alberto dos Santos) Date: Wed, 28 Sep 2005 18:19:38 +0100 Subject: [nycphp-talk] Audubon Flash/PHP Map In-Reply-To: <20050928125757.c36byl6sdlkkcs44@208.179.130.20> References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20> Message-ID: Loads pretty fast. it?s nice, though I would like to have a hand over the map allowing me to move it as I please. That said, Nice Work! On 28/09/05, aaron at aarond.com wrote: > > Hey guys, I could use some feedback on this page. It's a flash/php/oracle > app > that dynamically plots points on a map based on long/lat info for each > contact > in the db. It may be a little slow loading, but if it's REALLY slow please > let > me know. > > (A co-worker of mine developed the app, I just helped out on a few small > items > and feedback) > > http://www.audubon.org/states/flashMap.php > > Thanks!! > Aaron D. > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Alberto dos Santos Consultor em TI IT Consultant http://www.yournway.com A internet ? sua maneira. The Internet your own way. -------------- next part -------------- An HTML attachment was scrubbed... URL: From coling at macmicro.com Wed Sep 28 13:55:51 2005 From: coling at macmicro.com (Colin Goldberg) Date: Wed, 28 Sep 2005 13:55:51 -0400 Subject: [nycphp-talk] Audubon Flash/PHP Map In-Reply-To: <20050928125757.c36byl6sdlkkcs44@208.179.130.20> References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20> Message-ID: <433AD927.2040307@macmicro.com> An HTML attachment was scrubbed... URL: From edwardpotter at gmail.com Wed Sep 28 15:04:01 2005 From: edwardpotter at gmail.com (edward potter) Date: Wed, 28 Sep 2005 15:04:01 -0400 Subject: [nycphp-talk] Audubon Flash/PHP Map In-Reply-To: <20050928125757.c36byl6sdlkkcs44@208.179.130.20> References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20> Message-ID: Hi, seemed to load ok to me. I'm taking a grad school Flash course now. After 5 years, I've been converted to Flash, I'm now a total Flash crazed php programmer. It's UNBELIEVABLE what you can do now with Flash, blew my mind. And as I say, it took years to convert me. I've joined the Flash cult, some of the demos I've been show are AMAZING, and now with an open source compiler, wow! Before: FLASH IS TERRIBLE, IT BREAKS ALL THE RULES, IT SUCKS! NEVER USE FLASH. After cult immersion tactics! :-) FLASH IS GOD, FLASH IS GOD, FLASH IS GOD -ed On 9/28/05, aaron at aarond.com wrote: > Hey guys, I could use some feedback on this page. It's a flash/php/oracle app > that dynamically plots points on a map based on long/lat info for each contact > in the db. It may be a little slow loading, but if it's REALLY slow please let > me know. > > (A co-worker of mine developed the app, I just helped out on a few small items > and feedback) > > http://www.audubon.org/states/flashMap.php > > Thanks!! > Aaron D. > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From joshmccormack at travelersdiary.com Wed Sep 28 16:21:39 2005 From: joshmccormack at travelersdiary.com (Josh McCormack) Date: Wed, 28 Sep 2005 16:21:39 -0400 Subject: [nycphp-talk] Project management solutions In-Reply-To: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE3580135531C@network.PLMresearch.com> References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE3580135531C@network.PLMresearch.com> Message-ID: <433AFB53.5060703@travelersdiary.com> How about Task Juggler (http://www.taskjuggler.org/), which I believe integrates with KDE stuff like their groupware, Kolab, as well as Kontact, etc. Josh Mark Withington wrote: > I'm on the front-end of a research project to locate "good" PHP project > management solutions. So far I've identified the following candidates. > Does anyone have experience with > > PHProjekt http://www.phprojekt.com/ > DOTproject http://www.dotproject.net/ > Netoffice http://netoffice.sourceforge.net > TUTOS http://www.tutos.org > more.groupware http://mgw.k-fish.de/ > phpGroupWare http://www.phpgroupware.org/ > > Any ones that I've missed? > > Thanks in advance, > > Mark > > -------------------------- > Mark L. Withington > PLMresearch > "eBusiness for the Midsize Enterprise" > PO Box 1354 > Plymouth, MA 02362 > o: 800-310-3992 ext. 704 > f: 508-746-4973 > v: 508-746-2383 > m: 508-801-0181 > http://www.PLMresearch.com > AIM/MSN/Skype: PLMresearch > Yahoo: PLMresearch2000 > mwithington at plmresearch.com > Public Key: http://www.plmresearch.com/keys/MLW_public_key.asc > Calendar: http://www.plmresearch.com/calendar.php > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From jellicle at gmail.com Wed Sep 28 17:41:46 2005 From: jellicle at gmail.com (Michael Sims) Date: Wed, 28 Sep 2005 17:41:46 -0400 Subject: [nycphp-talk] mysqli errors Message-ID: <200509281741.46464.jellicle@gmail.com> The mysqli extension works nicely for accessing MySQL from PHP. However, it throws warnings like a Mardi Gras float throws beads. "Warning: mysqli::query(): No index used in query/prepared statement ..." Some SELECT statements cannot use an index. "SELECT foo FROM bar" doesn't use an index, because you want all the rows. That doesn't stop mysqli from giving this warning, though. Sometimes mysqli gives this warning even when MySQL is apparently using an index (i.e. the same query, executed with EXPLAIN, says it's using an index). Shouldn't this be a notice rather than a warning anyway? It's not an error that your query isn't using an index... Question: what's the easiest and best way to get mysqli to shut up about no index being used? I generally want to see errors, other warnings and notices, so I can't just turn them off. Michael Sims From 1j0lkq002 at sneakemail.com Wed Sep 28 18:31:45 2005 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Wed, 28 Sep 2005 15:31:45 -0700 Subject: [nycphp-talk] Audubon Flash/PHP Map In-Reply-To: References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20> Message-ID: <5738-50735@sneakemail.com> edward potter edwardpotter-at-gmail.com |nyphp dev/internal group use| wrote: >Hi, > >seemed to load ok to me. I'm taking a grad school Flash course now. > >After 5 years, I've been converted to Flash, I'm now a total Flash >crazed php programmer. It's UNBELIEVABLE what you can do now with >Flash, blew my mind. And as I say, it took years to convert me. I've >joined the Flash cult, some of the demos I've been show are AMAZING, >and now with an open source compiler, wow! > >Before: >FLASH IS TERRIBLE, IT BREAKS ALL THE RULES, IT SUCKS! NEVER USE FLASH. > >After cult immersion tactics! :-) > >FLASH IS GOD, FLASH IS GOD, FLASH IS GOD > >-ed > > > Hmm... haven't looked at Flash for while, and Studio 8 is shipping.... can you provide a list of tools you use for LAMP + FLash work? Thanks.. -=john andrews http://www.seo-fun.com (of course everyone has perused www.BillyHarvey.com, right? ;-) From joshmccormack at travelersdiary.com Wed Sep 28 20:18:49 2005 From: joshmccormack at travelersdiary.com (Josh McCormack) Date: Wed, 28 Sep 2005 20:18:49 -0400 Subject: [nycphp-talk] Audubon Flash/PHP Map In-Reply-To: References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20> Message-ID: <433B32E9.2060408@travelersdiary.com> I'm all for Flash when it works, but I feel like I'm constantly having to talk designers out of using it. It mixes functionality in with code and buries it all in a hard to update file. Designers see a need for functionality and think Flash. They often think dynamic and robust mean animated and.... animated. Josh edward potter wrote: > Hi, > > seemed to load ok to me. I'm taking a grad school Flash course now. > > After 5 years, I've been converted to Flash, I'm now a total Flash > crazed php programmer. It's UNBELIEVABLE what you can do now with > Flash, blew my mind. And as I say, it took years to convert me. I've > joined the Flash cult, some of the demos I've been show are AMAZING, > and now with an open source compiler, wow! > > Before: > FLASH IS TERRIBLE, IT BREAKS ALL THE RULES, IT SUCKS! NEVER USE FLASH. > > After cult immersion tactics! :-) > > FLASH IS GOD, FLASH IS GOD, FLASH IS GOD > > -ed > > On 9/28/05, aaron at aarond.com wrote: > >>Hey guys, I could use some feedback on this page. It's a flash/php/oracle app >>that dynamically plots points on a map based on long/lat info for each contact >>in the db. It may be a little slow loading, but if it's REALLY slow please let >>me know. >> >>(A co-worker of mine developed the app, I just helped out on a few small items >>and feedback) >> >>http://www.audubon.org/states/flashMap.php >> >>Thanks!! >>Aaron D. >>_______________________________________________ >>New York PHP Talk Mailing List >>AMP Technology >>Supporting Apache, MySQL and PHP >>http://lists.nyphp.org/mailman/listinfo/talk >>http://www.nyphp.org >> > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From matt at jiffycomp.com Wed Sep 28 22:32:48 2005 From: matt at jiffycomp.com (Matt Morgan) Date: Wed, 28 Sep 2005 22:32:48 -0400 Subject: [nycphp-talk] Audubon Flash/PHP Map In-Reply-To: <20050928125757.c36byl6sdlkkcs44@208.179.130.20> References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20> Message-ID: <433B5250.9070406@jiffycomp.com> aaron at aarond.com wrote: >Hey guys, I could use some feedback on this page. It's a flash/php/oracle app >that dynamically plots points on a map based on long/lat info for each contact >in the db. It may be a little slow loading, but if it's REALLY slow please let >me know. > >(A co-worker of mine developed the app, I just helped out on a few small items >and feedback) > >http://www.audubon.org/states/flashMap.php > > > Hmm, I can't see the map. Only the little help guide. I'm using Firefox 1.07 on Fedora Core 3. Flash mostly works, otherwise (I have flash 7 installed). From greg.rundlett at gmail.com Wed Sep 28 23:02:03 2005 From: greg.rundlett at gmail.com (Greg Rundlett) Date: Wed, 28 Sep 2005 23:02:03 -0400 Subject: [nycphp-talk] Audubon Flash/PHP Map In-Reply-To: <433B5250.9070406@jiffycomp.com> References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20> <433B5250.9070406@jiffycomp.com> Message-ID: <5e2aaca40509282002797512f4@mail.gmail.com> > Hmm, I can't see the map. Only the little help guide. I'm using Firefox > 1.07 on Fedora Core 3. Flash mostly works, otherwise (I have flash 7 > installed). Broken here too. I get the left half of the map, with a gray area for the right half. Firefox 1.03 on FC3. Konqueror shows the whole map. -------------- next part -------------- An HTML attachment was scrubbed... URL: From yournway at gmail.com Thu Sep 29 03:47:26 2005 From: yournway at gmail.com (Alberto dos Santos) Date: Thu, 29 Sep 2005 08:47:26 +0100 Subject: [nycphp-talk] Audubon Flash/PHP Map In-Reply-To: <5e2aaca40509282002797512f4@mail.gmail.com> References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20> <433B5250.9070406@jiffycomp.com> <5e2aaca40509282002797512f4@mail.gmail.com> Message-ID: Oh. Then I might add I was using Firefox 1.0.7 on WinXP. It all worked fine. On 29/09/05, Greg Rundlett wrote: > > > Hmm, I can't see the map. Only the little help guide. I'm using Firefox > > 1.07 on Fedora Core 3. Flash mostly works, otherwise (I have flash 7 > > installed). > > > Broken here too. I get the left half of the map, with a gray area for the > right half. Firefox 1.03 on FC3. Konqueror shows the whole map. > > > > > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > > -- Alberto dos Santos Consultor em TI IT Consultant http://www.yournway.com A internet ? sua maneira. The Internet your own way. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ken at secdat.com Thu Sep 29 08:16:42 2005 From: ken at secdat.com (Kenneth Downs) Date: Thu, 29 Sep 2005 08:16:42 -0400 (EDT) Subject: [nycphp-talk] Audubon Flash/PHP Map In-Reply-To: <20050928125757.c36byl6sdlkkcs44@208.179.130.20> References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20> Message-ID: <53898.38.117.147.25.1127996202.squirrel@38.117.147.25> I'm running Firefox. There is a big gray box covering the eastern half of the map, don't know what that is, perhaps the site was coded for IE? The 'back' button does not work. I would offer more feedback but with the big gray box on there I can't do much. > Hey guys, I could use some feedback on this page. It's a flash/php/oracle > app > that dynamically plots points on a map based on long/lat info for each > contact > in the db. It may be a little slow loading, but if it's REALLY slow please > let > me know. > > (A co-worker of mine developed the app, I just helped out on a few small > items > and feedback) > > http://www.audubon.org/states/flashMap.php > > Thanks!! > Aaron D. > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Kenneth Downs Secure Data Software 631-379-0010 ken at secdat.com PO Box 708 East Setauket, NY 11733 From nyphp at enobrev.com Thu Sep 29 08:26:31 2005 From: nyphp at enobrev.com (Mark Armendariz) Date: Thu, 29 Sep 2005 05:26:31 -0700 Subject: [nycphp-talk] Audubon Flash/PHP Map In-Reply-To: <433B32E9.2060408@travelersdiary.com> Message-ID: <20050929122630.B1768A8777@virtu.nyphp.org> > It mixes functionality in with code > and buries it all in a hard to update file. Such is no longer the case. These days, my fla files generally have 2 lines of code in them. One to import the main Actionscript file and the other to execute the constructor of the app. Everything else is in a full directory structure of easily editable text files with an 'as' extension. Actually the perfect balance of separating the coder from the designer in my experience. Flash is so much more developer-friendly these days. I still hate the ide and think it should be beaten to bits (haven't played with 8 yet, so don't hate me if it's improved - thankfully that's for the designers to deal with), but development is so much more rewarding than it once was. Mark From agfische at email.smith.edu Thu Sep 29 08:27:57 2005 From: agfische at email.smith.edu (Aaron Fischer) Date: Thu, 29 Sep 2005 08:27:57 -0400 Subject: [nycphp-talk] Audubon Flash/PHP Map In-Reply-To: <20050928125757.c36byl6sdlkkcs44@208.179.130.20> References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20> Message-ID: <433BDDCD.5020403@email.smith.edu> -Aaron D. Seems to work just fine with Safari on Mac OS X. -Aaron F. aaron at aarond.com wrote: >Hey guys, I could use some feedback on this page. It's a flash/php/oracle app >that dynamically plots points on a map based on long/lat info for each contact >in the db. It may be a little slow loading, but if it's REALLY slow please let >me know. > >(A co-worker of mine developed the app, I just helped out on a few small items >and feedback) > >http://www.audubon.org/states/flashMap.php > >Thanks!! >Aaron D. > > From chsnyder at gmail.com Thu Sep 29 09:26:55 2005 From: chsnyder at gmail.com (csnyder) Date: Thu, 29 Sep 2005 09:26:55 -0400 Subject: [nycphp-talk] Audubon Flash/PHP Map In-Reply-To: <20050929122630.B1768A8777@virtu.nyphp.org> References: <433B32E9.2060408@travelersdiary.com> <20050929122630.B1768A8777@virtu.nyphp.org> Message-ID: On 9/29/05, Mark Armendariz wrote: > Flash is so much more developer-friendly these days. I still hate the ide > and think it should be beaten to bits (haven't played with 8 yet, so don't > hate me if it's improved - thankfully that's for the designers to deal > with), but development is so much more rewarding than it once was. > A non-geek friend of mine from SF knows a bunch of people who code for Macromedia, and says they are always talking about "this PHP thing". They have been actively promoting Flash+PHP for a couple years now. I wish the Flash IDE was higher quality, but then that's really the designer's domain. Flash+actionscript+php (FLAP?) is a pretty killer platform for rich web applications, and not subject (to the best of my knowledge) to the same class of cross-site-scripting attacks that AJAX apps are. The biggest problem for me is the lack of an open-source player. If Macromedia/Adobe decides to start selling ads on top of your application, or includes spyware in the player, what are you going to do about it? From ereyes at totalcreations.com Thu Sep 29 10:12:11 2005 From: ereyes at totalcreations.com (Edgar Reyes) Date: Thu, 29 Sep 2005 10:12:11 -0400 Subject: [nycphp-talk] Audubon Flash/PHP Map In-Reply-To: <53898.38.117.147.25.1127996202.squirrel@38.117.147.25> Message-ID: <00c701c5c4ff$c8c3b1e0$6500a8c0@ERENTR> It works fine for me and I tried it in Firefox 1.7 Netscape 7.2 and IE. ER -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Kenneth Downs Sent: Thursday, September 29, 2005 7:17 AM To: NYPHP Talk Subject: Re: [nycphp-talk] Audubon Flash/PHP Map I'm running Firefox. There is a big gray box covering the eastern half of the map, don't know what that is, perhaps the site was coded for IE? The 'back' button does not work. I would offer more feedback but with the big gray box on there I can't do much. > Hey guys, I could use some feedback on this page. It's a flash/php/oracle > app > that dynamically plots points on a map based on long/lat info for each > contact > in the db. It may be a little slow loading, but if it's REALLY slow please > let > me know. > > (A co-worker of mine developed the app, I just helped out on a few small > items > and feedback) > > http://www.audubon.org/states/flashMap.php > > Thanks!! > Aaron D. > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > -- Kenneth Downs Secure Data Software 631-379-0010 ken at secdat.com PO Box 708 East Setauket, NY 11733 _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From jellicle at gmail.com Thu Sep 29 10:42:52 2005 From: jellicle at gmail.com (Michael Sims) Date: Thu, 29 Sep 2005 10:42:52 -0400 Subject: [nycphp-talk] Audubon Flash/PHP Map In-Reply-To: <20050928125757.c36byl6sdlkkcs44@208.179.130.20> References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20> Message-ID: <200509291042.52795.jellicle@gmail.com> On Wednesday 28 September 2005 12:57, aaron at aarond.com wrote: > Hey guys, I could use some feedback on this page. It's a > flash/php/oracle app that dynamically plots points on a map based on > long/lat info for each contact in the db. It may be a little slow > loading, but if it's REALLY slow please let me know. The page has this code: State Chapter Information
Interactive Flash Map

I would bet quite a lot that the tag should be a
instead. That's (probably) what's causing the right half of the Flash app to be greyed out for a lot of people, including me. Michael Sims From max at neuropunks.org Thu Sep 29 11:27:55 2005 From: max at neuropunks.org (Max Gribov) Date: Thu, 29 Sep 2005 11:27:55 -0400 Subject: [nycphp-talk] OT - embedded WMV objects - no full screen on FireFox Message-ID: <433C07FB.60006@neuropunks.org> Hello, This is slightly offtopic, a little problem im having with this site im writing. I have following code:
As you can see, when I click on the fullscreen.jpg button the wmv file is supposed to become fullscreen - and it does, but only in IE I was looking through google, as well as comparing this code to other code I wrote/could find, and everything seems like it should work. Can anyone see what Im doing wrong? Or is it not the code, and im missing something entirely else?.. note: inside the tag I used to have type="application/x-oleobject" directive, and adding/removing it did not change anything Thank you! Max From aaron at aarond.com Thu Sep 29 11:59:41 2005 From: aaron at aarond.com (aaron) Date: Thu, 29 Sep 2005 11:59:41 -0400 Subject: [nycphp-talk] Audubon Flash/PHP Map In-Reply-To: <200509291042.52795.jellicle@gmail.com> References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20> <200509291042.52795.jellicle@gmail.com> Message-ID: <433C0F6D.8070001@aarond.com> Thank you all for looking over the flash map. I sent all of your feedback to the developer and will continue to do so if any more come in. He fixed the span/font tag mishap, so if you can take another quick look I would appreciate it. I only have pc/max here to test on, no *nix environment yet. http://www.audubon.org/states/flashMap.php Thanks again!! Aaron D. Michael Sims wrote: >On Wednesday 28 September 2005 12:57, aaron at aarond.com wrote: > > > >>Hey guys, I could use some feedback on this page. It's a >>flash/php/oracle app that dynamically plots points on a map based on >>long/lat info for each contact in the db. It may be a little slow >>loading, but if it's REALLY slow please let me know. >> >> > >The page has this code: > >State Chapter Information
>Interactive Flash Map
>
> >I would bet quite a lot that the tag should be a
instead. >That's (probably) what's causing the right half of the Flash app to be >greyed out for a lot of people, including me. > > >Michael Sims >_______________________________________________ >New York PHP Talk Mailing List >AMP Technology >Supporting Apache, MySQL and PHP >http://lists.nyphp.org/mailman/listinfo/talk >http://www.nyphp.org > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From greg.rundlett at gmail.com Thu Sep 29 20:26:56 2005 From: greg.rundlett at gmail.com (Greg Rundlett) Date: Thu, 29 Sep 2005 20:26:56 -0400 Subject: [nycphp-talk] Audubon Flash/PHP Map In-Reply-To: <433C0F6D.8070001@aarond.com> References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20> <200509291042.52795.jellicle@gmail.com> <433C0F6D.8070001@aarond.com> Message-ID: <5e2aaca405092917262f0a05ec@mail.gmail.com> Still half gray here. The w3c validator points out that the Doctype element (which should be the first line) is actually on line two of the source. From Consult at CovenantEDesign.com Thu Sep 29 21:27:39 2005 From: Consult at CovenantEDesign.com (CED) Date: Thu, 29 Sep 2005 21:27:39 -0400 Subject: [nycphp-talk] OT - embedded WMV objects - no full screen on FireFox References: <433C07FB.60006@neuropunks.org> Message-ID: <030601c5c55e$25f77820$0319a8c0@ced> I'm not exactly sure if you need the object tag... for mozilla, or something of that sort... Other than that I'd look here: http://www.mozilla.org/quality/browser/front-end/testcases/oji/objecttest5.html then here: http://java.sun.com/j2se/1.5.0/docs/guide/plugin/developer_guide/using_tags.html I didn't have time to, what can I say, I'm fat and Lazy =D. Aren't all programmers? Well, minus the fat maybe. Edward JS Prevost II Me at EdwardPrevost.info www.EdwardPrevost.info ----- Original Message ----- From: "Max Gribov" To: "NYPHP Talk" Sent: Thursday, September 29, 2005 11:27 AM Subject: [nycphp-talk] OT - embedded WMV objects - no full screen on FireFox Hello, This is slightly offtopic, a little problem im having with this site im writing. I have following code: http://www.mozilla.org/quality/browser/front-end/testcases/oji/objecttest5.html
As you can see, when I click on the fullscreen.jpg button the wmv file is supposed to become fullscreen - and it does, but only in IE I was looking through google, as well as comparing this code to other code I wrote/could find, and everything seems like it should work. Can anyone see what Im doing wrong? Or is it not the code, and im missing something entirely else?.. note: inside the tag I used to have type="application/x-oleobject" directive, and adding/removing it did not change anything Thank you! Max _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org From kigathi at gmail.com Fri Sep 30 08:32:19 2005 From: kigathi at gmail.com (Eric K.) Date: Fri, 30 Sep 2005 08:32:19 -0400 Subject: [nycphp-talk] SQL - Sorting on multiple columns Message-ID: Quick SQL-related question that seems deceptively simple but that I can't seem to solve: I have a database with authors and books they've written-looks very similar to: http://www.onlamp.com/pub/a/php/2004/01/29/php_foundations.html I have a simple query that returns a resultset of the names of the top 25 authors and the books they've published thus: SELECT authors.name, COUNT(books.title) AS books FROM authors,books WHERE books.author_id = authors.author_id GROUP BY name ORDER BY books LIMIT 0,25 Pretty straightforward right? Actually no, because I'd like to have the result set returned in order of author name but because of the top 25 stipulation (ORDER by books LIMIT 0,25) I can't. Is there any way to get the top 25 resultset sorted by author name with a straightforward SQL query (unfortunately MySQL 4.0 doesn't like subselects). Unfortunately I can't sort the resultset in PHP. From prusak at gmail.com Fri Sep 30 10:52:10 2005 From: prusak at gmail.com (Ophir Prusak) Date: Fri, 30 Sep 2005 10:52:10 -0400 Subject: [nycphp-talk] SQL - Sorting on multiple columns In-Reply-To: References: Message-ID: If you want the top 25 authors (in terms of books) sorted by author name, you'll need a subselect. Try mysql 4.1 :) or insert into a temp table (memory based) and query from there. Also - why can't u sort it in php ? On 9/30/05, Eric K. wrote: > Quick SQL-related question that seems deceptively simple but that I > can't seem to solve: > > I have a database with authors and books they've written-looks very similar to: > http://www.onlamp.com/pub/a/php/2004/01/29/php_foundations.html > > I have a simple query that returns a resultset of the names of the top > 25 authors and the books they've published thus: > > SELECT authors.name, COUNT(books.title) AS books > FROM authors,books > WHERE books.author_id = authors.author_id > GROUP BY name > ORDER BY books > LIMIT 0,25 > > Pretty straightforward right? Actually no, because I'd like to have > the result set returned in order of author name but because of the top > 25 stipulation (ORDER by books LIMIT 0,25) I can't. > > Is there any way to get the top 25 resultset sorted by author name > with a straightforward SQL query (unfortunately MySQL 4.0 doesn't like > subselects). Unfortunately I can't sort the resultset in PHP. > _______________________________________________ > New York PHP Talk Mailing List > AMP Technology > Supporting Apache, MySQL and PHP > http://lists.nyphp.org/mailman/listinfo/talk > http://www.nyphp.org > From agfische at email.smith.edu Fri Sep 30 12:36:49 2005 From: agfische at email.smith.edu (Aaron Fischer) Date: Fri, 30 Sep 2005 12:36:49 -0400 Subject: [nycphp-talk] What are ? and : Message-ID: <433D69A1.2070903@email.smith.edu> I am in the process of reading through the PHundamentals article titled "Functions for Storing Data Submitted From a Form and Displaying Data from a Database" and have run into two symbols that I am unclear about in the fix_magic_quotes function. http://www.nyphp.org/phundamentals/storingretrieving.php The symbols in question are ? and : The lines where they are used: 1) $argv = isset($_SERVER['argv']) ? $_SERVER['argv'] : NULL; 2) return $sybase ? str_replace ('\'\'', '\'', $var) : stripslashes ($var); Would appreciate an explanation of the usage of the symbols and their use in the context of these two lines. Thanks, -Aaron From rahmin at insite-out.com Fri Sep 30 12:47:22 2005 From: rahmin at insite-out.com (Rahmin Pavlovic) Date: Fri, 30 Sep 2005 12:47:22 -0400 Subject: [nycphp-talk] What are ? and : Message-ID: <200509301647.j8UGlMOx002505@webmail5.megamailservers.com> An embedded and charset-unspecified text was scrubbed... Name: not available URL: From jellicle at gmail.com Fri Sep 30 12:58:27 2005 From: jellicle at gmail.com (Michael Sims) Date: Fri, 30 Sep 2005 12:58:27 -0400 Subject: [nycphp-talk] What are ? and : In-Reply-To: <433D69A1.2070903@email.smith.edu> References: <433D69A1.2070903@email.smith.edu> Message-ID: <200509301258.28038.jellicle@gmail.com> On Friday 30 September 2005 12:36, Aaron Fischer wrote: > The symbols in question are ? and : ?: is the "ternary operator". Google for that and you should get plenty of information. http://ca.php.net/manual/en/language.operators.comparison.php#language.operators.comparison.ternary A ? B : C can be roughly translated as "test A, and pick B or C depending on how A's test came out". > 1) $argv = isset($_SERVER['argv']) ? $_SERVER['argv'] : NULL; So this is saying if the _SERVER variable argv is set, then set the local variable argv with that value; otherwise set it to NULL. The more direct approach: $argv = $_SERVER['argv']; will throw an error if $_SERVER['argv'] doesn't exist. (Actually, it will throw a notice, not an error, and the script will continue to execute, and the functional effect will be very similar, but using the ternary operator is certainly more elegant.) Michael Sims From enunez at tiaa-cref.org Fri Sep 30 13:04:38 2005 From: enunez at tiaa-cref.org (Nunez, Eddy) Date: Fri, 30 Sep 2005 13:04:38 -0400 Subject: [nycphp-talk] What are ? and : Message-ID: <33DFD788D44E404CB92B90176DEC061A6DAFD0@NYCPDMSXMB06.ad.tiaa-cref.org> Yeah no kidding .. I love this stuff!! I've used them in sequence to test and update a conditional variable... some actual code I wrie to set a string based on various database variables.. $approval_status = ( $adt=$res[APPROVED] ) ? "Approved on $adt" : 'Unapproved' ; $approval_status = ( in_array($suffix,array('AN','SP')) ) ? 'N/A' : $approval_status ; $approval_status = ( $cdt=$res[COMPLETED] ) ? "Closed on $cdt" : $approval_status ; $approval_status = ( $cdt=$res[CANCELED] ) ? "Canceled on $cdt" : $approval_status ; I realized in the above the sequence of the instructions is critical for the correct result because the following statements will use the previous results on false condition. FYI: texts refer to it as Trinary operator because it takes 3 operands, instead of the more common 2 ops. Cool stuff! -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]On Behalf Of Rahmin Pavlovic Sent: Friday, September 30, 2005 12:47 PM To: NYPHP Talk; Aaron Fischer Subject: Re: [nycphp-talk] What are ? and : On Fri, 30 Sep 2005 12:36 , Aaron Fischer sent: >I am in the process of reading through the PHundamentals article titled >"Functions for Storing Data Submitted From a Form and Displaying Data >from a Database" and have run into two symbols that I am unclear about >in the fix_magic_quotes function. >http://www.nyphp.org/phundamentals/storingretrieving.php > >The symbols in question are ? and : > >The lines where they are used: > >1) $argv = isset($_SERVER['argv']) ? $_SERVER['argv'] : NULL; > It's a conditional operator, and it's basically a simple if/else assignment. In this case, it's checking to see if there are any arguments -- if so, they get assigned to $argv, if not, $argv is NULL. A lot of people don't like conditional operators, but I use them a lot. _______________________________________________ New York PHP Talk Mailing List AMP Technology Supporting Apache, MySQL and PHP http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org ************************************************************** This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, please contact sender immediately by reply e-mail and destroy all copies. You are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. TIAA-CREF ************************************************************** From agfische at email.smith.edu Fri Sep 30 13:30:06 2005 From: agfische at email.smith.edu (Aaron Fischer) Date: Fri, 30 Sep 2005 13:30:06 -0400 Subject: [nycphp-talk] What are ? and : In-Reply-To: <200509301258.28038.jellicle@gmail.com> References: <433D69A1.2070903@email.smith.edu> <200509301258.28038.jellicle@gmail.com> Message-ID: <433D761E.6060005@email.smith.edu> Awesome, thanks for the description! That's very helpful, as is the link as well. I'd like to say that this list rocks, as usual. Cheers, -Aaron Michael Sims wrote: >On Friday 30 September 2005 12:36, Aaron Fischer wrote: > > > >>The symbols in question are ? and : >> >> > >?: is the "ternary operator". Google for that and you should get plenty of >information. > >http://ca.php.net/manual/en/language.operators.comparison.php#language.operators.comparison.ternary > >A ? B : C > >can be roughly translated as "test A, and pick B or C depending on how A's >test came out". > > > >>1) $argv = isset($_SERVER['argv']) ? $_SERVER['argv'] : NULL; >> >> > >So this is saying if the _SERVER variable argv is set, then set the local >variable argv with that value; otherwise set it to NULL. The more direct >approach: > >$argv = $_SERVER['argv']; > >will throw an error if $_SERVER['argv'] doesn't exist. (Actually, it will >throw a notice, not an error, and the script will continue to execute, and >the functional effect will be very similar, but using the ternary operator >is certainly more elegant.) > > From cliff at pinestream.com Fri Sep 30 13:31:36 2005 From: cliff at pinestream.com (Cliff Hirsch) Date: Fri, 30 Sep 2005 13:31:36 -0400 Subject: [nycphp-talk] Paginating tables properly when rows are collapsed by a column Message-ID: <000301c5c5e4$cf636460$0ba8a8c0@cliff> I am trying to properly paginate a table spread over several pages. The problem is, I want the # of rows displayed to be based on a collapsed summary column. Using Javascript, the default display would be to collapse everything based on one field (in this case category). As an example, I may want to show 10 collapsed category rows per page that can expand into a larger # of rows based on the # of rows in each category, when a Javascript "shows rows in category" button is clicked. This makes the start # a bit tricky and the individual rowsperpage # variable while though the "category rowsperpage # is fixed. I think this would give me the proper results if it worked: SELECT fields FROM table WHERE table.userid = $userid AND table.catid IN (SELECT DISTINCT catid FROM table WHERE table.userid = $userid AND LIMIT $startrow, $rowsperpage) >>But LIMIT is not allowed in a sub-query, so I tried this: SELECT GROUP_CONCAT(DISTINCT catid) FROM table WHERE table.userid = $userid AND LIMIT $startrow, $rowsperpage SELECT fields FROM table WHERE table.userid = $userid AND table.catid IN ($result from above query) >> But LIMIT does not work for GROUP_CONCAT, so I'm down to this: SELECT DISTINCT catid FROM table WHERE table.userid = $userID AND LIMIT $startrow, $rowsperpage) PHP code to turn array result into a string, then: SELECT fields FROM table WHERE table.userid = $userid AND table.cid IN ($result from above query) Is there a simpler way? Perhaps this is a case for AJAX -- only get row info when an "expand" button is clicked. Thoughts? Cliff Hirsch _______________________________ Pinestream Communications, Inc. Publisher of Semiconductor Times & Telecom Trends http://www.pinestream.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at zaunere.com Fri Sep 30 13:59:29 2005 From: lists at zaunere.com (Hans Zaunere) Date: Fri, 30 Sep 2005 13:59:29 -0400 Subject: [nycphp-talk] FW: [nycbug-talk] gpl on /. Message-ID: <0MKp2t-1ELPAV3kEl-0002Wy@mrelay.perfora.net> Marc Spitzer wrote on Friday, September 30, 2005 11:41 AM: > Saw below on slashdot, this is something we need to be up to speed on. > All you web developers out there need to add in time for licence > review on your projects, if you use any 3rd party lib, ouch. > > Vicissidude writes "At present, companies that distribute > GPL-licensed software must make the source code publicly available, > including any modifications they've made. Though the rule covers many > businesses that use GPL-licensed software for commercial ends, it > doesn't cover Web companies that use such software to offer their > services through the Web, as they're not actually distributing the > software. GPL 3, the next version of the free software license, a > draft of which is expected to be released in early 2006, may close > this loophole, GPL author and Free Software Foundation head Richard > Stallman said in an interview." > > interview link http://news.zdnet.com/2100-3513_22-5884172.html Interesting developments in the exciting world of GPL licensing... H From suzerain at suzerain.com Fri Sep 30 17:23:32 2005 From: suzerain at suzerain.com (Marc Antony Vose) Date: Fri, 30 Sep 2005 17:23:32 -0400 Subject: [nycphp-talk] strategy question: point accrual system and bots In-Reply-To: <433C07FB.60006@neuropunks.org> References: <433C07FB.60006@neuropunks.org> Message-ID: Hi there. I'm asking a sort of general question here about how to design an application I'm making. Basically, actions on a Web site will result in members accruing points (the actions vary, but almost always cause a form to be submitted, some action to be performed on the back end, and then points to be allocated to the user). I'm interested in people's strategies for preventing scripts or bots from continually submitting actions and accruing points for someone. In some cases, there are special things I can look for that will be the components of these actions, but I'm looking also for some kind of general strategy (special hash keys based on some random factor, etc. and so on). I have a few ideas, but other people probably have better ones...the simpler and more straightforward the better. Cheers, -- Marc Antony Vose http://www.suzerain.com/ The only "intuitive" interface is the nipple. After that, it's all learned. -- Bruce Ediger From mail at billyreisinger.com Fri Sep 30 18:03:01 2005 From: mail at billyreisinger.com (Billy Reisinger) Date: Fri, 30 Sep 2005 18:03:01 -0400 Subject: [nycphp-talk] strategy question: point accrual system and bots In-Reply-To: References: <433C07FB.60006@neuropunks.org> Message-ID: <2009AE73-7D9D-4A21-838E-750CCE947E6D@billyreisinger.com> Hey Marc - I think that the simplicity of the solution is directly proportional to the importance of preventing people from "submit fraud." If it is really important (i.e. there is money involved), the complexity of your solution will necessarily have to be greater; however, if you are not going to lose money or a limb if someone "illegally" accrues points, then perhaps a simple combination of tracking session ID's and IP addresses would work. I wouldn't rely on any one method alone, though. It seems that tracking user or bot activity on the web is best accomplished through a combination of strategies. For example, you definitely can't rely on the accuracy of IP addresses, or that one user == one IP address. On the other hand, using an IP address in combination with, say, the user's session id, some cookie data, or some information in the http header (like browser or operating system) might be an effective way of tracking a single user. If you are dealing with a system where people have to provide a username/password to submit anything, your chances of identifying your users just got a ton better! Also, you can be sure something funky is going on if someone continually submits a form many times in a small amount of time. It might be good to put a threshold there, preventing people from re-submitting for, say, 60 seconds or something. Cheers, Billy On Sep 30, 2005, at 5:23 PM, Marc Antony Vose wrote: > Hi there. > > I'm asking a sort of general question here about how to design an > application I'm making. Basically, actions on a Web site will result > in members accruing points (the actions vary, but almost always cause > a form to be submitted, some action to be performed on the back end, > and then points to be allocated to the user). > > I'm interested in people's strategies for preventing scripts or bots > from continually submitting actions and accruing points for someone. > In some cases, there are special things I can look for that will be > the components of these actions, but I'm looking also for some kind > of general strategy (special hash keys based on some random factor, > etc. and so on). > > I have a few ideas, but other people probably have better ones...the > simpler and more straightforward the better. > > Cheers, > > -- > Marc Antony Vose > http://www.suzerain.com/ > From stephen at musgrave.org Fri Sep 30 18:49:00 2005 From: stephen at musgrave.org (Stephen Musgrave) Date: Fri, 30 Sep 2005 18:49:00 -0400 Subject: [nycphp-talk] Validating/cleaning/scrubbing Message-ID: <3a2a0d6a56ce33fcaed8fb6b6b98b96a@musgrave.org> Given Tuesday's presentation by Chris Shiflett (thanks, Chris!), I have been thinking more about security and am wondering if there are any classes out there that people are using that the trust and can recommend? Any comments about PHP Input Filter? PHP Input Filter (linked the PHP Security Consortium web site) http://cyberai.com/inputfilter/ Thanks, Stephen -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/enriched Size: 388 bytes Desc: not available URL: