From felix at students.poly.edu Mon Dec 1 02:11:52 2003 From: felix at students.poly.edu (felix zaslavskiy) Date: Mon, 1 Dec 2003 02:11:52 -0500 Subject: [nycphp-talk] Viewing HTTP Headers In-Reply-To: <3FCAA5E7.5080502@optonline.net> References: <3FCAA5E7.5080502@optonline.net> Message-ID: <20031201021152.0f55b116.felix@students.poly.edu> I was wondering how to do this a few days ago. I found this little program called swiftsurf which is a basic http proxy. Its very easy to setup. As long as one does not use add blocking it works fast. One just needs to set "request 1 answer 1" in the config file to watch all the headers. I like this solution more because it lets me spy on any type of browser i use. On a related note. I generaly test with Firebird but I took a look at IE and it seems to not want to send If-Modified-Since header even when in cache settings i checked of to check on every page access. Or this could be that IE with wine just dont run right ? On Sun, 30 Nov 2003 21:22:32 -0500 Jeff Siegel wrote: > Thought this would be of interest. Jeff Knight told me about Firebird > (I'm running the Windows version) and one of the really cool extensions > allows you to view HTTP headers. Below is some sample output. > > Jeff Siegel > > > ==================================================== > SAMPLE OUTPUT FROM EXTENSION "LIVE HTTP HEADERS" > ==================================================== > > http://192.168.1.112/mrs/admin/login.php > > POST /mrs/admin/login.php HTTP/1.1 > Host: 192.168.1.112 > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) > Gecko/20031007 Firebird/0.7 > Accept: > text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: http://192.168.1.112/mrs/admin/login.php > Cookie: PHPSESSID=d637bd1942ff5262fe4a4a5d0ed443a8 > Content-Type: application/x-www-form-urlencoded > PHPSESSID=d637bd1942ff5262fe4a4a5d0ed443a8&usrname=&password=&Submit=Submit > > > HTTP/1.x 200 OK > Date: Sun, 31 Oct 2004 01:17:06 GMT > Server: Apache/2.0.40 (Red Hat Linux) > Accept-Ranges: bytes > X-Powered-By: PHP/4.2.2 > Expires: Thu, 19 Nov 1981 08:52:00 GMT > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, > pre-check=0 > Pragma: no-cache > Connection: close > Transfer-Encoding: chunked > Content-Type: text/html; charset=ISO-8859-1 > ---------------------------------------------------------- > > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > From simon.attila at marketcom.hu Mon Dec 1 07:20:51 2003 From: simon.attila at marketcom.hu (Simon Attila) Date: Mon, 1 Dec 2003 13:20:51 +0100 Subject: [nycphp-talk] Perl problem: $ENV{'HTTP_COOKIE'} is empty when script is used with SSI Message-ID: <003a01c3b805$8f979890$0b01a8c0@simon> Hi, I desperately looking for help in Perl cookie handling. A script reading $ENV{'HTTP_COOKIE'} is working fine when called directly from a browser (IE6), but when it is inserted to a HTML page with SSI, $ENV{'HTTP_COOKIE'} is empty and my authentication fails. What is the problem? How can I solve it? Please CC tip replies to eugenius at freemail.hu. Thanks in advance. Eug. From brian at preston-campbell.com Mon Dec 1 07:51:29 2003 From: brian at preston-campbell.com (Preston-Campbell) Date: Mon, 1 Dec 2003 07:51:29 -0500 Subject: [nycphp-talk] Quick assitance needed Message-ID: <200312010751.29336.brian@preston-campbell.com> A general plea for help with a project -- I need someone (preferably an independent contractor like myself and located in or near the 5 boros) with experience in customizing OSCommerce. I am running short on time for a looming deadline and have some minor details in the completion of a small site. The changes are not cosmetic, the design is 99% there, I am in need of coding and possibly additions to SQL only. Please contact offlist if interested in making a few bucks. I have a detailed list of what is needed. Brian Preston-Campbell From jsiegel1 at optonline.net Mon Dec 1 09:18:23 2003 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Mon, 01 Dec 2003 09:18:23 -0500 Subject: [nycphp-talk] Encrypt/Decrypt without MCrypt Message-ID: <3FCB4DAF.4090709@optonline.net> I may be faced with a situation where I don't have MCrypt for encrypting/decrypting data. I need to store the PIN numbers in a database and be able to retrieve them. Is there some other method I can use instead? I was thinking, perhaps, something like the following: $myPinNumber = "123DGH"; $sSecret = '7R5D1N3V5C4Y6Z2X'; $ary = array('PIN' => $myPinNumber, 'Secret' => $sSecret); $sEncoded = base64_encode(serialize($ary)); Jeff Siegel From nyphp at websapp.com Mon Dec 1 09:25:27 2003 From: nyphp at websapp.com (Daniel Kushner) Date: Mon, 1 Dec 2003 09:25:27 -0500 Subject: [nycphp-talk] Encrypt/Decrypt without MCrypt In-Reply-To: <3FCB4DAF.4090709@optonline.net> Message-ID: Hi Jeff, That wouldn't really work. decoding the $sEncoded variable would result in a serialized array, thus exposing your PIN. Best, Daniel > -----Original Message----- > From: talk-bounces at lists.nyphp.org > [mailto:talk-bounces at lists.nyphp.org]On Behalf Of Jeff Siegel > Sent: Monday, December 01, 2003 9:18 AM > To: NYPHP Talk > Subject: [nycphp-talk] Encrypt/Decrypt without MCrypt > > > I may be faced with a situation where I don't have MCrypt for > encrypting/decrypting data. I need to store the PIN numbers in a > database and be able to retrieve them. Is there some other method I can > use instead? I was thinking, perhaps, something like the following: > > $myPinNumber = "123DGH"; > $sSecret = '7R5D1N3V5C4Y6Z2X'; > $ary = array('PIN' => $myPinNumber, 'Secret' => > $sSecret); > $sEncoded = base64_encode(serialize($ary)); > > Jeff Siegel > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > From csnyder at chxo.com Mon Dec 1 09:35:04 2003 From: csnyder at chxo.com (Chris Snyder) Date: Mon, 01 Dec 2003 09:35:04 -0500 Subject: [nycphp-talk] Viewing HTTP Headers In-Reply-To: <3FCAA5E7.5080502@optonline.net> References: <3FCAA5E7.5080502@optonline.net> Message-ID: <3FCB5198.6070006@chxo.com> Take a look at Pear's Crypt_Xtea package. http://pear.php.net/package/Crypt_Xtea TEA isn't the most trusted algo on the block, but it's probably better than obfuscation. If you're really serious about encrypting values, you need mcrypt (and some way to keep your encryption key secret). csnyder Jeff Siegel wrote: > Thought this would be of interest. Jeff Knight told me about Firebird > (I'm running the Windows version) and one of the really cool > extensions allows you to view HTTP headers. Below is some sample output. > > Jeff Siegel > > > ==================================================== > SAMPLE OUTPUT FROM EXTENSION "LIVE HTTP HEADERS" > ==================================================== > > http://192.168.1.112/mrs/admin/login.php > > POST /mrs/admin/login.php HTTP/1.1 > Host: 192.168.1.112 > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) > Gecko/20031007 Firebird/0.7 > Accept: > text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1 > > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: http://192.168.1.112/mrs/admin/login.php > Cookie: PHPSESSID=d637bd1942ff5262fe4a4a5d0ed443a8 > Content-Type: application/x-www-form-urlencoded > Content-Length: 75 > PHPSESSID=d637bd1942ff5262fe4a4a5d0ed443a8&usrname=&password=&Submit=Submit > > > > HTTP/1.x 200 OK > Date: Sun, 31 Oct 2004 01:17:06 GMT > Server: Apache/2.0.40 (Red Hat Linux) > Accept-Ranges: bytes > X-Powered-By: PHP/4.2.2 > Expires: Thu, 19 Nov 1981 08:52:00 GMT > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, > pre-check=0 > Pragma: no-cache > Connection: close > Transfer-Encoding: chunked > Content-Type: text/html; charset=ISO-8859-1 > ---------------------------------------------------------- > > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk From jsiegel1 at optonline.net Mon Dec 1 09:38:47 2003 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Mon, 01 Dec 2003 09:38:47 -0500 Subject: [nycphp-talk] Encrypt/Decrypt without MCrypt In-Reply-To: References: Message-ID: <3FCB5277.5090708@optonline.net> Did I forget to mention that it wasn't the *hottest* code in the world? ;) Jeff Daniel Kushner wrote: > Hi Jeff, > > That wouldn't really work. decoding the $sEncoded variable would result in > a serialized array, thus exposing your PIN. > > Best, > Daniel > > > >>-----Original Message----- >>From: talk-bounces at lists.nyphp.org >>[mailto:talk-bounces at lists.nyphp.org]On Behalf Of Jeff Siegel >>Sent: Monday, December 01, 2003 9:18 AM >>To: NYPHP Talk >>Subject: [nycphp-talk] Encrypt/Decrypt without MCrypt >> >> >>I may be faced with a situation where I don't have MCrypt for >>encrypting/decrypting data. I need to store the PIN numbers in a >>database and be able to retrieve them. Is there some other method I can >>use instead? I was thinking, perhaps, something like the following: >> >>$myPinNumber = "123DGH"; >>$sSecret = '7R5D1N3V5C4Y6Z2X'; >>$ary = array('PIN' => $myPinNumber, 'Secret' => >>$sSecret); >>$sEncoded = base64_encode(serialize($ary)); >> >>Jeff Siegel >> >>_______________________________________________ >>talk mailing list >>talk at lists.nyphp.org >>http://lists.nyphp.org/mailman/listinfo/talk >> > > > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > From bpang at bpang.com Mon Dec 1 09:40:12 2003 From: bpang at bpang.com (Brian Pang) Date: Mon, 01 Dec 2003 09:40:12 -0500 Subject: [nycphp-talk] Encrypt/Decrypt without MCrypt Message-ID: I do something similar to this when I need to be able to decrypt something. As long as noone gets a hold of your code to reverse engineer it. Is $sSecret user provided or are you re-using that for all records? I usually also append/prepend/insert my own "garbage" strings to the base64_encode results so that a simple base64_decode doesn't quite produce the "encrypted" data. Of course, don't forget to take them out again when you are decrypting. Also, sometimes I base64_encode the base64_encode result, or three times even... or four.. ain't I sneaky? One other thing to do it to get the ord() value for each char before or after base64-ing it, just to mess things up even more. Use chr() to do the reverse. Finally, write the code for this particular piece in the most cryptic manner that you can and don't comment the code. Don't use easy to follow var names like "sEncoded" Use single letters or other nonsense or random strings for var names, and put in lots of other useless code just to make it hard to interpret should anyone get a hold of it. > I may be faced with a situation where I don't have MCrypt for > encrypting/decrypting data. I need to store the PIN numbers in a > database and be able to retrieve them. Is there some other method I can > use instead? I was thinking, perhaps, something like the following: > > $myPinNumber = "123DGH"; > $sSecret = '7R5D1N3V5C4Y6Z2X'; > $ary = array('PIN' => $myPinNumber, 'Secret' => $sSecret); > $sEncoded = base64_encode(serialize($ary)); > > Jeff Siegel > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > > From jsiegel1 at optonline.net Mon Dec 1 09:41:09 2003 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Mon, 01 Dec 2003 09:41:09 -0500 Subject: [nycphp-talk] Viewing HTTP Headers In-Reply-To: <3FCB5198.6070006@chxo.com> References: <3FCAA5E7.5080502@optonline.net> <3FCB5198.6070006@chxo.com> Message-ID: <3FCB5305.2070009@optonline.net> Thanks for pointing me to this package. Jeff Chris Snyder wrote: > Take a look at Pear's Crypt_Xtea package. > http://pear.php.net/package/Crypt_Xtea > > TEA isn't the most trusted algo on the block, but it's probably better > than obfuscation. If you're really serious about encrypting values, you > need mcrypt (and some way to keep your encryption key secret). > > csnyder > > > Jeff Siegel wrote: > >> Thought this would be of interest. Jeff Knight told me about Firebird >> (I'm running the Windows version) and one of the really cool >> extensions allows you to view HTTP headers. Below is some sample output. >> >> Jeff Siegel >> >> >> ==================================================== >> SAMPLE OUTPUT FROM EXTENSION "LIVE HTTP HEADERS" >> ==================================================== >> >> http://192.168.1.112/mrs/admin/login.php >> >> POST /mrs/admin/login.php HTTP/1.1 >> Host: 192.168.1.112 >> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) >> Gecko/20031007 Firebird/0.7 >> Accept: >> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1 >> >> Accept-Language: en-us,en;q=0.5 >> Accept-Encoding: gzip,deflate >> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 >> Keep-Alive: 300 >> Connection: keep-alive >> Referer: http://192.168.1.112/mrs/admin/login.php >> Cookie: PHPSESSID=d637bd1942ff5262fe4a4a5d0ed443a8 >> Content-Type: application/x-www-form-urlencoded >> Content-Length: 75 >> PHPSESSID=d637bd1942ff5262fe4a4a5d0ed443a8&usrname=&password=&Submit=Submit >> >> >> >> HTTP/1.x 200 OK >> Date: Sun, 31 Oct 2004 01:17:06 GMT >> Server: Apache/2.0.40 (Red Hat Linux) >> Accept-Ranges: bytes >> X-Powered-By: PHP/4.2.2 >> Expires: Thu, 19 Nov 1981 08:52:00 GMT >> Cache-Control: no-store, no-cache, must-revalidate, post-check=0, >> pre-check=0 >> Pragma: no-cache >> Connection: close >> Transfer-Encoding: chunked >> Content-Type: text/html; charset=ISO-8859-1 >> ---------------------------------------------------------- >> >> >> _______________________________________________ >> talk mailing list >> talk at lists.nyphp.org >> http://lists.nyphp.org/mailman/listinfo/talk > > > > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > From jsiegel1 at optonline.net Mon Dec 1 09:47:53 2003 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Mon, 01 Dec 2003 09:47:53 -0500 Subject: [nycphp-talk] Encrypt/Decrypt without MCrypt In-Reply-To: References: Message-ID: <3FCB5499.5060805@optonline.net> $sSecret would be used for all records. I'm trying to find out if the client has a particular requirement in terms of encrypting since it's sensitive data. "ain't I sneaky?" - Yes! Jeff Brian Pang wrote: > I do something similar to this when I need to be able to decrypt something. > As long as noone gets a hold of your code to reverse engineer it. > > Is $sSecret user provided or are you re-using that for all records? > > I usually also append/prepend/insert my own "garbage" strings to the > base64_encode results so that a simple base64_decode doesn't quite > produce the "encrypted" data. > Of course, don't forget to take them out again when you are decrypting. > Also, sometimes I base64_encode the base64_encode result, or three times > even... or four.. ain't I sneaky? > One other thing to do it to get the ord() value for each char before or > after base64-ing it, just to mess things up even more. Use chr() to do > the reverse. > > Finally, write the code for this particular piece in the most cryptic > manner that you can and don't comment the code. Don't use easy to follow > var names like "sEncoded" Use single letters or other nonsense or > random strings for var names, and put in lots of other useless code just > to make it hard to interpret should anyone get a hold of it. > > > > >>I may be faced with a situation where I don't have MCrypt for >>encrypting/decrypting data. I need to store the PIN numbers in a >>database and be able to retrieve them. Is there some other method I can >>use instead? I was thinking, perhaps, something like the following: >> >>$myPinNumber = "123DGH"; >>$sSecret = '7R5D1N3V5C4Y6Z2X'; >>$ary = array('PIN' => $myPinNumber, 'Secret' => > > $sSecret); > >>$sEncoded = base64_encode(serialize($ary)); >> >>Jeff Siegel >> >>_______________________________________________ >>talk mailing list >>talk at lists.nyphp.org >>http://lists.nyphp.org/mailman/listinfo/talk >> >> > > > > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > From tgales at tgaconnect.com Mon Dec 1 10:20:39 2003 From: tgales at tgaconnect.com (Tim Gales) Date: Mon, 1 Dec 2003 10:20:39 -0500 Subject: [nycphp-talk] Encrypt/Decrypt without MCrypt In-Reply-To: <3FCB4DAF.4090709@optonline.net> Message-ID: <000301c3b81e$ae5c2570$bf8d3818@oberon1> Jeff Siegel: "...faced with a situation where I don't have Mcrypt..." this might be of interest: http://limonez.net/~jure/php/ Author claims it will store and retrieve sensitive info using MD5 hash (looks like it might work) T. Gales & Associates 'Helping People Connect with Technology' http://www.tgaconnect.com From cmerlo at ncc.edu Mon Dec 1 10:34:17 2003 From: cmerlo at ncc.edu (Christopher R. Merlo) Date: Mon, 1 Dec 2003 10:34:17 -0500 Subject: [nycphp-talk] Encrypt/Decrypt without MCrypt In-Reply-To: References: Message-ID: <20031201153417.GA17760@ncc.edu> On 2003-12-01 09:40 -0500, Brian Pang wrote: > Finally, write the code for this particular piece in the most cryptic > manner that you can and don't comment the code. Don't use easy to follow > var names like "sEncoded" Use single letters or other nonsense or > random strings for var names, and put in lots of other useless code just > to make it hard to interpret should anyone get a hold of it. This sounds like a recipe for disaster. If anyone *does* break in to your server, you'd get toasted this way. Also, remember: if it's hard for the attacker to interpret, it will be hard for you to interpret next month. Now I don't know if this helps, but on my site, users type in their password, and I compare it with an MD5 sum already in my DB. If the sums match, that means that the user typed in the correct password, and they're authenticated. This way, no cleartext password gets stored anywhere. -- cmerlo at ncc.edu http://turing.matcmp.ncc.edu/~cmerlo Recursion, n: See recursion. See also tail recursion. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available URL: From bpang at bpang.com Mon Dec 1 10:44:59 2003 From: bpang at bpang.com (Brian Pang) Date: Mon, 01 Dec 2003 10:44:59 -0500 Subject: [nycphp-talk] Encrypt/Decrypt without MCrypt Message-ID: I didn't claim that this approach would be fool proof, and I did, I thought, warn against anyone getting a hold of the code as an obvious security flaw. Ideally, one wouldn't have to re-interpret the code, but at least you would know that there's a bunch of crap in there you can ignore. Comparing an MD5 sum stored in a DB also won't reveal what the stored/encrypted data is, which I think is what was being sought here. > This sounds like a recipe for disaster. If anyone *does* break in to > your server, you'd get toasted this way. > > Also, remember: if it's hard for the attacker to interpret, it will be > hard for you to interpret next month. > > Now I don't know if this helps, but on my site, users type in their > password, and I compare it with an MD5 sum already in my DB. If the > sums match, that means that the user typed in the correct password, > and they're authenticated. This way, no cleartext password gets > stored anywhere. From jsiegel1 at optonline.net Mon Dec 1 10:46:51 2003 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Mon, 01 Dec 2003 10:46:51 -0500 Subject: [nycphp-talk] Encrypt/Decrypt without MCrypt In-Reply-To: <20031201153417.GA17760@ncc.edu> References: <20031201153417.GA17760@ncc.edu> Message-ID: <3FCB626B.2020702@optonline.net> Let me explain the situation in a bit more detail...this may help to clarify what I'm trying to accomplish. I'll be storing 50,000 PIN numbers for phone cards. People will receive a card that has an alphanumeric code. They'll enter the code number into a form and receive an email that has a special URL attached. They'll click on the URL and then the associated PIN number will be displayed on the screen. My intention is to do all of this via SSL. My concern is the encrypting/decrypting of the PIN numbers. I can't use one-way encryption since I need to decrypt the data. The alphanumeric codes will also be stored in an encrypted form. Jeff Christopher R. Merlo wrote: > On 2003-12-01 09:40 -0500, Brian Pang wrote: > > >>Finally, write the code for this particular piece in the most cryptic >>manner that you can and don't comment the code. Don't use easy to follow >>var names like "sEncoded" Use single letters or other nonsense or >>random strings for var names, and put in lots of other useless code just >>to make it hard to interpret should anyone get a hold of it. > > > This sounds like a recipe for disaster. If anyone *does* break in to > your server, you'd get toasted this way. > > Also, remember: if it's hard for the attacker to interpret, it will be > hard for you to interpret next month. > > Now I don't know if this helps, but on my site, users type in their > password, and I compare it with an MD5 sum already in my DB. If the > sums match, that means that the user typed in the correct password, > and they're authenticated. This way, no cleartext password gets > stored anywhere. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk From cmerlo at ncc.edu Mon Dec 1 10:57:21 2003 From: cmerlo at ncc.edu (Christopher R. Merlo) Date: Mon, 1 Dec 2003 10:57:21 -0500 Subject: [nycphp-talk] Encrypt/Decrypt without MCrypt In-Reply-To: References: Message-ID: <20031201155721.GB17760@ncc.edu> On 2003-12-01 10:44 -0500, Brian Pang wrote: > Ideally, one wouldn't have to re-interpret the code, but at least you > would know that there's a bunch of crap in there you can ignore. What I meant is, it will be very hard to debug, maintain, and add new features later, if you obfuscate the code *on purpose*. Lots of us do that anyway, by accident. :) > Comparing an MD5 sum stored in a DB also won't reveal what the > stored/encrypted data is, which I think is what was being sought here. Yeah, I realized that after reading Jeff's last e-mail. Jeff, it sounds like mcrypt is the way to go. Can it become available to you? In other words, can you get the site admin to install it? -- cmerlo at ncc.edu http://turing.matcmp.ncc.edu/~cmerlo Recursion, n: See recursion. See also tail recursion. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available URL: From shiflett at php.net Mon Dec 1 10:58:19 2003 From: shiflett at php.net (Chris Shiflett) Date: Mon, 1 Dec 2003 07:58:19 -0800 (PST) Subject: [nycphp-talk] Viewing HTTP Headers In-Reply-To: <20031201021152.0f55b116.felix@students.poly.edu> Message-ID: <20031201155819.47538.qmail@web14306.mail.yahoo.com> --- felix zaslavskiy wrote: > I was wondering how to do this a few days ago. I found this little > program called swiftsurf which is a basic http proxy. Yeah, I wrote something like this several years ago called Protoscope (http://protoscope.org/). I rewrote it in PHP about two years ago to see how stable the sockets extension was, and it's been stagnating ever since. :-) What I liked about mine is that it embeds the HTTP transactions in the content (in addition to logging it), so the bottom of every page has this. It's definitely the most convenient one I've used. What is better about something like the Mozilla plugin is that it can reveal the HTTP for SSL connections, whereas an HTTP proxy cannot (it has to just create a tunnel). This makes it much better, in my opinion. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ From shiflett at php.net Mon Dec 1 10:59:59 2003 From: shiflett at php.net (Chris Shiflett) Date: Mon, 1 Dec 2003 07:59:59 -0800 (PST) Subject: [nycphp-talk] Viewing HTTP Headers In-Reply-To: <3FCB5198.6070006@chxo.com> Message-ID: <20031201155959.74295.qmail@web14301.mail.yahoo.com> Was this reply meant for some other thread? If not, I'm very lost. :-) --- Chris Snyder wrote: > Take a look at Pear's Crypt_Xtea package. > http://pear.php.net/package/Crypt_Xtea > > TEA isn't the most trusted algo on the block, but it's probably better > than obfuscation. If you're really serious about encrypting values, you > need mcrypt (and some way to keep your encryption key secret). > > csnyder > > > Jeff Siegel wrote: > > > Thought this would be of interest. Jeff Knight told me about Firebird > > (I'm running the Windows version) and one of the really cool > > extensions allows you to view HTTP headers. Below is some sample > output. > > > > Jeff Siegel > > > > > > ==================================================== > > SAMPLE OUTPUT FROM EXTENSION "LIVE HTTP HEADERS" > > ==================================================== > > > > http://192.168.1.112/mrs/admin/login.php > > > > POST /mrs/admin/login.php HTTP/1.1 > > Host: 192.168.1.112 > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) > > Gecko/20031007 Firebird/0.7 > > Accept: > > > text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1 > > > > > Accept-Language: en-us,en;q=0.5 > > Accept-Encoding: gzip,deflate > > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > > Keep-Alive: 300 > > Connection: keep-alive > > Referer: http://192.168.1.112/mrs/admin/login.php > > Cookie: PHPSESSID=d637bd1942ff5262fe4a4a5d0ed443a8 > > Content-Type: application/x-www-form-urlencoded > > Content-Length: 75 > > > PHPSESSID=d637bd1942ff5262fe4a4a5d0ed443a8&usrname=&password=&Submit=Submit > > > > > > > > > HTTP/1.x 200 OK > > Date: Sun, 31 Oct 2004 01:17:06 GMT > > Server: Apache/2.0.40 (Red Hat Linux) > > Accept-Ranges: bytes > > X-Powered-By: PHP/4.2.2 > > Expires: Thu, 19 Nov 1981 08:52:00 GMT > > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, > > pre-check=0 > > Pragma: no-cache > > Connection: close > > Transfer-Encoding: chunked > > Content-Type: text/html; charset=ISO-8859-1 > > ---------------------------------------------------------- ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ From tgales at tgaconnect.com Mon Dec 1 11:05:34 2003 From: tgales at tgaconnect.com (Tim Gales) Date: Mon, 1 Dec 2003 11:05:34 -0500 Subject: [nycphp-talk] Encrypt/Decrypt without MCrypt In-Reply-To: <3FCB626B.2020702@optonline.net> Message-ID: <001601c3b824$f69d4020$bf8d3818@oberon1> Jeff Siegel: "> I'll be storing 50,000 PIN numbers ..." Question: "Where will they be stored?" T. Gales & Associates 'Helping People Connect with Technology' http://www.tgaconnect.com From csnyder at chxo.com Mon Dec 1 11:08:22 2003 From: csnyder at chxo.com (csnyder at chxo.com) Date: Mon, 1 Dec 2003 11:08:22 -0500 Subject: [nycphp-talk] Viewing HTTP Headers In-Reply-To: <20031201155959.74295.qmail@web14301.mail.yahoo.com> References: <20031201155959.74295.qmail@web14301.mail.yahoo.com> Message-ID: <1070294902.3fcb677667177@webmail.tuffmail.net> Yes, so sorry-- was meant for the non-mCrypt thread. Not enough coffee yet. Quoting Chris Shiflett : > Was this reply meant for some other thread? If not, I'm very lost. :-) > > --- Chris Snyder wrote: > > Take a look at Pear's Crypt_Xtea package. > > http://pear.php.net/package/Crypt_Xtea > > > > TEA isn't the most trusted algo on the block, but it's probably better > > than obfuscation. If you're really serious about encrypting values, you > > need mcrypt (and some way to keep your encryption key secret). > > > > csnyder > > > > > > Jeff Siegel wrote: > > > > > Thought this would be of interest. Jeff Knight told me about Firebird > > > (I'm running the Windows version) and one of the really cool > > > extensions allows you to view HTTP headers. Below is some sample > > output. > > > > > > Jeff Siegel > > > > > > > > > ==================================================== > > > SAMPLE OUTPUT FROM EXTENSION "LIVE HTTP HEADERS" > > > ==================================================== > > > > > > http://192.168.1.112/mrs/admin/login.php > > > > > > POST /mrs/admin/login.php HTTP/1.1 > > > Host: 192.168.1.112 > > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) > > > Gecko/20031007 Firebird/0.7 > > > Accept: > > > > > > text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1 > > > > > > > > Accept-Language: en-us,en;q=0.5 > > > Accept-Encoding: gzip,deflate > > > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > > > Keep-Alive: 300 > > > Connection: keep-alive > > > Referer: http://192.168.1.112/mrs/admin/login.php > > > Cookie: PHPSESSID=d637bd1942ff5262fe4a4a5d0ed443a8 > > > Content-Type: application/x-www-form-urlencoded > > > Content-Length: 75 > > > > > > PHPSESSID=d637bd1942ff5262fe4a4a5d0ed443a8&usrname=&password=&Submit=Submit > > > > > > > > > > > > > > HTTP/1.x 200 OK > > > Date: Sun, 31 Oct 2004 01:17:06 GMT > > > Server: Apache/2.0.40 (Red Hat Linux) > > > Accept-Ranges: bytes > > > X-Powered-By: PHP/4.2.2 > > > Expires: Thu, 19 Nov 1981 08:52:00 GMT > > > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, > > > pre-check=0 > > > Pragma: no-cache > > > Connection: close > > > Transfer-Encoding: chunked > > > Content-Type: text/html; charset=ISO-8859-1 > > > ---------------------------------------------------------- > > ===== > Chris Shiflett - http://shiflett.org/ > > PHP Security Handbook > Coming mid-2004 > HTTP Developer's Handbook > http://httphandbook.org/ > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > > > From jsiegel1 at optonline.net Mon Dec 1 11:16:06 2003 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Mon, 01 Dec 2003 11:16:06 -0500 Subject: [nycphp-talk] Encrypt/Decrypt without MCrypt In-Reply-To: <001601c3b824$f69d4020$bf8d3818@oberon1> References: <001601c3b824$f69d4020$bf8d3818@oberon1> Message-ID: <3FCB6946.2000208@optonline.net> In a MySQL table. Jeff Tim Gales wrote: > Jeff Siegel: > "> I'll be storing 50,000 PIN numbers ..." > > Question: "Where will they be stored?" > > > T. Gales & Associates > 'Helping People Connect with Technology' > > http://www.tgaconnect.com > > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > From jsiegel1 at optonline.net Mon Dec 1 11:15:38 2003 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Mon, 01 Dec 2003 11:15:38 -0500 Subject: [nycphp-talk] Encrypt/Decrypt without MCrypt In-Reply-To: <20031201155721.GB17760@ncc.edu> References: <20031201155721.GB17760@ncc.edu> Message-ID: <3FCB692A.6020601@optonline.net> I found out that the site admin can, indeed, install mcrypt...and I think that's the best way to go. Jeff Christopher R. Merlo wrote: > On 2003-12-01 10:44 -0500, Brian Pang wrote: > > >>Ideally, one wouldn't have to re-interpret the code, but at least you >>would know that there's a bunch of crap in there you can ignore. > > > What I meant is, it will be very hard to debug, maintain, and add new > features later, if you obfuscate the code *on purpose*. Lots of us do > that anyway, by accident. :) > > >>Comparing an MD5 sum stored in a DB also won't reveal what the >>stored/encrypted data is, which I think is what was being sought here. > > > Yeah, I realized that after reading Jeff's last e-mail. Jeff, it > sounds like mcrypt is the way to go. Can it become available to you? > In other words, can you get the site admin to install it? > > > > ------------------------------------------------------------------------ > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk From jonbaer at jonbaer.net Mon Dec 1 11:33:38 2003 From: jonbaer at jonbaer.net (jon baer) Date: Mon, 1 Dec 2003 11:33:38 -0500 Subject: [nycphp-talk] Encrypt/Decrypt without MCrypt References: <20031201153417.GA17760@ncc.edu> <3FCB626B.2020702@optonline.net> Message-ID: <005e01c3b828$df836a00$6400a8c0@thinkpad> while you probably already found a solution for this, the most secure method will no doubt be using an offline private key for decryption (or hidden file) ... there is *suppose* to be a GnuPG extenion library designed to make this easier: http://www.gnupg.org/related_software/gpgme/ which would allow for embedding PKI into PHP much easier but I have not seen or heard any updates to whether this library will be out with PHP 5 (or compiled for PHP < 5) ... does anyone know? - jon ----- Original Message ----- From: "Jeff Siegel" To: "NYPHP Talk" Sent: Monday, December 01, 2003 10:46 AM Subject: Re: [nycphp-talk] Encrypt/Decrypt without MCrypt > Let me explain the situation in a bit more detail...this may help to > clarify what I'm trying to accomplish. > > I'll be storing 50,000 PIN numbers for phone cards. People will receive > a card that has an alphanumeric code. They'll enter the code number into > a form and receive an email that has a special URL attached. They'll > click on the URL and then the associated PIN number will be displayed on > the screen. My intention is to do all of this via SSL. > > My concern is the encrypting/decrypting of the PIN numbers. I can't use > one-way encryption since I need to decrypt the data. The alphanumeric > codes will also be stored in an encrypted form. > > Jeff > > Christopher R. Merlo wrote: > > > On 2003-12-01 09:40 -0500, Brian Pang wrote: > > > > > >>Finally, write the code for this particular piece in the most cryptic > >>manner that you can and don't comment the code. Don't use easy to follow > >>var names like "sEncoded" Use single letters or other nonsense or > >>random strings for var names, and put in lots of other useless code just > >>to make it hard to interpret should anyone get a hold of it. > > > > > > This sounds like a recipe for disaster. If anyone *does* break in to > > your server, you'd get toasted this way. > > > > Also, remember: if it's hard for the attacker to interpret, it will be > > hard for you to interpret next month. > > > > Now I don't know if this helps, but on my site, users type in their > > password, and I compare it with an MD5 sum already in my DB. If the > > sums match, that means that the user typed in the correct password, > > and they're authenticated. This way, no cleartext password gets > > stored anywhere. > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > talk mailing list > > talk at lists.nyphp.org > > http://lists.nyphp.org/mailman/listinfo/talk > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > From tgales at tgaconnect.com Mon Dec 1 11:44:26 2003 From: tgales at tgaconnect.com (Tim Gales) Date: Mon, 1 Dec 2003 11:44:26 -0500 Subject: [nycphp-talk] Encrypt/Decrypt without MCrypt In-Reply-To: <3FCB6946.2000208@optonline.net> Message-ID: <001701c3b82a$627afb70$bf8d3818@oberon1> Question: "Where will they be stored?" Answer: In a MySQL table. When you said you don't have mcrypt I took that to mean the php is not compiled without mcrypt. Can you call the crypto facilities of MySQL? T. Gales & Associates 'Helping People Connect with Technology' http://www.tgaconnect.com From tgales at tgaconnect.com Mon Dec 1 12:11:11 2003 From: tgales at tgaconnect.com (Tim Gales) Date: Mon, 1 Dec 2003 12:11:11 -0500 Subject: [nycphp-talk] Encrypt/Decrypt without MCrypt In-Reply-To: <000301c3b81e$ae5c2570$bf8d3818@oberon1> Message-ID: <001a01c3b82e$20a00430$bf8d3818@oberon1> The author (Jure Koren), didn't claim you could recover the data my mistake from working too fast) still the fragment might have worked in a situation where you want to authenticate someone against a pin number. T. Gales & Associates 'Helping People Connect with Technology' http://www.tgaconnect.com From jsiegel1 at optonline.net Mon Dec 1 12:37:24 2003 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Mon, 01 Dec 2003 12:37:24 -0500 Subject: [nycphp-talk] Encrypt/Decrypt without MCrypt In-Reply-To: <001701c3b82a$627afb70$bf8d3818@oberon1> References: <001701c3b82a$627afb70$bf8d3818@oberon1> Message-ID: <3FCB7C54.6050209@optonline.net> Right. PHP is not compiled with mcrypt. I'd have to look into your other suggestion to see if it would work on the shared server. I wasn't aware of those functions. Jeff Tim Gales wrote: > Question: "Where will they be stored?" > Answer: In a MySQL table. > > When you said you don't have mcrypt > I took that to mean the php is not > compiled without mcrypt. > > Can you call the crypto facilities of > MySQL? > > > T. Gales & Associates > 'Helping People Connect with Technology' > > http://www.tgaconnect.com > > > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > From southwell at dneba.com Mon Dec 1 20:33:13 2003 From: southwell at dneba.com (Michael Southwell) Date: Mon, 01 Dec 2003 20:33:13 -0500 Subject: [nycphp-talk] PHundamentals topic #4B: managing php.ini settings Message-ID: <6.0.1.1.2.20031201203111.01b056d8@mail.optonline.net> Last month's PHundamentals topic, what are the most important php.ini settings, generated many good suggestions. Now we turn to managing those settings. On a server we control, that seems straightforward: we modify php.ini. But we may also control some PHP settings using a or directive in httpd.conf, or in .htaccess. What is best practice here? And what is best practice on a server we don't control, where we have access only to our own directories? How can we make certain that our required settings are in effect? Jeff Siegel and Mike Southwell the PHundamentals team From webmaster at localnotion.com Mon Dec 1 20:43:02 2003 From: webmaster at localnotion.com (webmaster at localnotion.com) Date: Tue, 2 Dec 2003 01:43:02 +0000 Subject: [nycphp-talk] shiflett at linux conf Message-ID: <1070329382.65d3ce8603702@webmail.localnotion.com> From: http://www.linuxplanet.com/linuxplanet/reports/5130/1/ "Novell will now go out of its way to make native SuSE a really viable OS," concurred Chris Shiflett, an independent PHP developer, during Apache.Con. "The NetWare kernel is basically dead. Most people got tired of it by around NetWare 4 or 5," he added. From danielc at analysisandsolutions.com Mon Dec 1 21:49:38 2003 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Mon, 1 Dec 2003 21:49:38 -0500 Subject: [nycphp-talk] security? we don't need no stinkin security! Message-ID: <20031202024938.GA10184@panix.com> SecurityFocus Newsletter #225 VBPortal Friend.PHP Remote E-Mail Relaying Weakness http://www.securityfocus.com/bid/9088 Anthill Remote File Include Vulnerability http://www.securityfocus.com/bid/9095 My_EGallery Module Remote Include Command Injection Vulnerab... http://www.securityfocus.com/bid/9113 Bitfolge Snif Downloads Directory Traversal Vulnerability http://www.securityfocus.com/bid/9121 phpBB search.php SQL Injection Vulnerability http://www.securityfocus.com/bid/9122 [Gee, you'd think that after already having so many vulnerabilities they would have gone through and fixed all their problems. Guess not.] Stay strong and pay close attention... --Dan -- FREE scripts that make web and database programming easier http://www.analysisandsolutions.com/software/ T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7th Ave #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 From jonbaer at jonbaer.net Mon Dec 1 21:52:14 2003 From: jonbaer at jonbaer.net (jon baer) Date: Mon, 1 Dec 2003 21:52:14 -0500 Subject: [nycphp-talk] security? we don't need no stinkin security! References: <20031202024938.GA10184@panix.com> Message-ID: <001501c3b87f$4ae25490$6400a8c0@thinkpad> > phpBB search.php SQL Injection Vulnerability > http://www.securityfocus.com/bid/9122 im just curious - what exactly was the solution that does work and why does it work? someone care to explain: if (intval($search_id)) { vs. $search_id = intval($search_id); if ($search_id) { - jon From shiflett at php.net Mon Dec 1 22:15:32 2003 From: shiflett at php.net (Chris Shiflett) Date: Mon, 1 Dec 2003 19:15:32 -0800 (PST) Subject: [nycphp-talk] shiflett at linux conf In-Reply-To: <1070329382.65d3ce8603702@webmail.localnotion.com> Message-ID: <20031202031532.1878.qmail@web14308.mail.yahoo.com> --- webmaster at localnotion.com wrote: > http://www.linuxplanet.com/linuxplanet/reports/5130/1/ > > "Novell will now go out of its way to make native SuSE a really > viable OS," concurred Chris Shiflett, an independent PHP developer, > during Apache.Con. "The NetWare kernel is basically dead. Most > people got tired of it by around NetWare 4 or 5," he added. That's interesting, considering I never spoke to anyone about SuSE, Novell, Linux on the desktop, or anything relevant to this story. Thanks for the link. While I don't necessarily disagree with the statements attributed to me, I certainly don't agree with them all (I'm not a KDE user, for example), and I am not pleased with having my name used to support someone else's point. This Jacqueline Emigh lady seems to enjoy making up stories. I wrote about her once already here: http://shiflett.org/archive/18 Ugh... Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ >From hans not junk at nyphp.com Mon Dec 1 22:37:04 2003 Return-Path: Received: from londo.swishmail.com (londo.swishmail.com [209.10.110.95]) by virtu.nyphp.org (Postfix) with ESMTP id 49C07A85FD for ; Mon, 1 Dec 2003 22:37:04 -0500 (EST) Received: (qmail 53963 invoked by uid 89); 2 Dec 2003 03:37:04 -0000 Received: from unknown (HELO nyphp.com) (hans not junk at nyphp.com@66.65.174.214) by londo.swishmail.com with AES256-SHA encrypted SMTP; 2 Dec 2003 03:37:04 -0000 Message-ID: <3FCC08DF.9080102 at nyphp.com> Date: Mon, 01 Dec 2003 22:37:03 -0500 From: Hans Zaunere User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20031030 X-Accept-Language: en-us, en MIME-Version: 1.0 To: NYPHP Talk Subject: Re: [nycphp-talk] shiflett at linux conf References: <20031202031532.1878.qmail at web14308.mail.yahoo.com> In-Reply-To: <20031202031532.1878.qmail at web14308.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: talk at lists.nyphp.org X-Mailman-Version: 2.1.2 Precedence: list Reply-To: NYPHP Talk List-Id: NYPHP Talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2003 03:37:04 -0000 Chris Shiflett wrote: > --- webmaster at localnotion.com wrote: > >>http://www.linuxplanet.com/linuxplanet/reports/5130/1/ >> >>"Novell will now go out of its way to make native SuSE a really >>viable OS," concurred Chris Shiflett, an independent PHP developer, >>during Apache.Con. "The NetWare kernel is basically dead. Most >>people got tired of it by around NetWare 4 or 5," he added. > > > That's interesting, considering I never spoke to anyone about SuSE, > Novell, Linux on the desktop, or anything relevant to this story. > > Thanks for the link. While I don't necessarily disagree with the > statements attributed to me, I certainly don't agree with them all (I'm > not a KDE user, for example), and I am not pleased with having my name > used to support someone else's point. This Jacqueline Emigh lady seems to > enjoy making up stories. I wrote about her once already here: > > http://shiflett.org/archive/18 You can't buy that type of press Chris! :) H From shiflett at php.net Mon Dec 1 22:41:47 2003 From: shiflett at php.net (Chris Shiflett) Date: Mon, 1 Dec 2003 19:41:47 -0800 (PST) Subject: [nycphp-talk] shiflett at linux conf In-Reply-To: <3FCC08DF.9080102@nyphp.com> Message-ID: <20031202034147.99135.qmail@web14302.mail.yahoo.com> --- Hans Zaunere wrote: > > This Jacqueline Emigh lady seems to enjoy making up stories. I > > wrote about her once already here: > > > > http://shiflett.org/archive/18 > > You can't buy that type of press Chris! :) Heh, do I want that type of press? I am going to drop her a note. I'll give her the benefit of the doubt and assume she took crappy notes, but dang, surely the Novell/SuSE stuff was on a separate page in her notebook than SCO stuff. :-P Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ >From hans not junk at nyphp.com Mon Dec 1 22:43:47 2003 Return-Path: Received: from londo.swishmail.com (londo.swishmail.com [209.10.110.95]) by virtu.nyphp.org (Postfix) with ESMTP id E83FCA85E6 for ; Mon, 1 Dec 2003 22:43:46 -0500 (EST) Received: (qmail 56484 invoked by uid 89); 2 Dec 2003 03:43:46 -0000 Received: from unknown (HELO nyphp.com) (hans not junk at nyphp.com@66.65.174.214) by londo.swishmail.com with AES256-SHA encrypted SMTP; 2 Dec 2003 03:43:46 -0000 Message-ID: <3FCC0A71.5090704 at nyphp.com> Date: Mon, 01 Dec 2003 22:43:45 -0500 From: Hans Zaunere User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20031030 X-Accept-Language: en-us, en MIME-Version: 1.0 To: NYPHP Talk Subject: Re: [nycphp-talk] security? we don't need no stinkin security! References: <20031202024938.GA10184 at panix.com> <001501c3b87f$4ae25490$6400a8c0 at thinkpad> In-Reply-To: <001501c3b87f$4ae25490$6400a8c0 at thinkpad> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: talk at lists.nyphp.org X-Mailman-Version: 2.1.2 Precedence: list Reply-To: NYPHP Talk List-Id: NYPHP Talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2003 03:43:47 -0000 jon baer wrote: >>phpBB search.php SQL Injection Vulnerability >>http://www.securityfocus.com/bid/9122 > > > im just curious - what exactly was the solution that does work and why does > it work? someone care to explain: > > if (intval($search_id)) { > vs. > $search_id = intval($search_id); > if ($search_id) { It's not those couple of lines that have the effect. Later in the code $search_id is used in the SQL statement. In the first case, $search_id is used verbatim; in the later, the return value from intval() is used. It's nothing concerning intval() or the structure of the if() - just sloppy programming. H >From hans not junk at nyphp.com Mon Dec 1 22:53:00 2003 Return-Path: Received: from londo.swishmail.com (londo.swishmail.com [209.10.110.95]) by virtu.nyphp.org (Postfix) with ESMTP id 23CEAA85E6 for ; Mon, 1 Dec 2003 22:53:00 -0500 (EST) Received: (qmail 58630 invoked by uid 89); 2 Dec 2003 03:53:00 -0000 Received: from unknown (HELO nyphp.com) (hans not junk at nyphp.com@66.65.174.214) by londo.swishmail.com with AES256-SHA encrypted SMTP; 2 Dec 2003 03:52:59 -0000 Message-ID: <3FCC0C9B.3070607 at nyphp.com> Date: Mon, 01 Dec 2003 22:52:59 -0500 From: Hans Zaunere User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20031030 X-Accept-Language: en-us, en MIME-Version: 1.0 To: NYPHP Talk Subject: Re: [nycphp-talk] PHundamentals topic #4B: managing php.ini settings References: <6.0.1.1.2.20031201203111.01b056d8 at mail.optonline.net> In-Reply-To: <6.0.1.1.2.20031201203111.01b056d8 at mail.optonline.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: talk at lists.nyphp.org X-Mailman-Version: 2.1.2 Precedence: list Reply-To: NYPHP Talk List-Id: NYPHP Talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2003 03:53:00 -0000 > On a server we control, that seems straightforward: we modify php.ini. > But we may also control some PHP settings using a or > directive in httpd.conf, or in .htaccess. What is best > practice here? Personally, I make extensive use of Apache's directive to control PHP's environment and application behavior. Properly using these directives, one can realize a great deal of power only thought to exist in those "other platforms." I especially use the and directives to manipulate certain areas of my application. That said, settings that never need to be manipulated, like register_globals :) I set in php.ini. Other major settings, like output_buffering, or those that can only be set in php.ini, I set in php.ini as well. I take a hybrid approach to settings like include_path, setting it to different values in different places, but with a sound default in php.ini. > And what is best practice on a server we don't control, where we have > access only to our own directories? How can we make certain that our > required settings are in effect? In some cases, you just can't and will have to contact the system administrator. For that with control, .htaccess can be handy, although access to that file may be limited as well. In these cases, these settings have to be dealt with using ini_set() in the application's logic. Determining what settings can be set how and where is vital and explained in http://php.net/ini_set Setting PHP values in Apache's conf files also have added flexibility. Setting a value with php_admin_value or php_admin_flag are non-overrideable elsewhere in the application logic, .htaccess files, or even virtual hosts - only Apache's main server config. More details at http://us3.php.net/configuration.changes H From shiflett at php.net Mon Dec 1 23:40:36 2003 From: shiflett at php.net (Chris Shiflett) Date: Mon, 1 Dec 2003 20:40:36 -0800 (PST) Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <20031202024938.GA10184@panix.com> Message-ID: <20031202044036.34245.qmail@web14307.mail.yahoo.com> --- Daniel Convissor wrote: > phpBB search.php SQL Injection Vulnerability > http://www.securityfocus.com/bid/9122 > [Gee, you'd think that after already having so many vulnerabilities > they would have gone through and fixed all their problems. Guess > not.] Yeah, someone really needs to write a forum in PHP that doesn't suck. While they're at it, a CMS that doesn't suck would be nice, too. It's a shame that there are Perl applications that fit these needs but no decent PHP representation. Speaking of "don't need no stinkin' security," here are five more reasons not to use IE: http://www.infoworld.com/article/03/11/26/HNnewholesinie_1.html I think IE is beating out the Nukes and phpBB as the software with the worst security model. :-) Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ From sryBoston at hotmail.com Tue Dec 2 07:36:37 2003 From: sryBoston at hotmail.com (-sry) Date: Tue, 2 Dec 2003 07:36:37 -0500 Subject: [nycphp-talk] newbie - square one Message-ID: Okay, here's a really, REALLY basic question. I always seem to get the high-level stuff and miss the basics (kinda like Algebra stumps me even with a calculator but Calculus I do in my head :*) I've RTFM at php.net - very nice docs, like the searchability and index. Good online reference book. Alas, I want to do my very first PHP page--well, okay, not the first, I did a "Hello world" and phpinfo.php and those went fine and told me a bunch about my installation, all well and interesting, but now I want to do something I can actually USE. Let's say I have a page somepage.html and it has an onLoad(params) function in the BODY tag that currently calls some JavaScript funciton. Elsewhere on the page, I have a bunch of links to a PHP version of somepage.html and want to pass it different "params" for each of the links, each of which will "convert" the JavaScript/HTML behavior into PHP/HTML behavior and do something different with the onLoad() depending on which "params" value is clicked by the user. Never mind if this how to actually do it - I know I should just start with a php page, but I want to do it this way to LEARN, okay? If I change too many things at once, I will get lost on what is actually happening; my debugging habits are old and fixed. I can only change one thing at a time or I miss the problem completely. So for this link, I know I would put "somepage.php?params=value" cause this is the syntax of a query string and how one passes params via HTTP, but.... in the somepage.php, what do I do? Where do I put the first stuff? How do I extract "params" as a variable and get its user-selected value? The documentation seems to imply I would just put: and that the query string will have "created" the variable $params and somehow PHP will "know" what's in the query string and "value" will be defined...really? I don't have to extract some ENV-VAR like old-fashioned CGI processing? And since the assignment I want to do is in the BODY tag, how do I write the body tag with a PHP variable? like this: That didn't seem to do it for me so I must have misread or misunderstood the docs. Enlighten my ignorant self, someone? -sry ---------------------------------------------------------------------- Sarah R. Yoffa http://www.sarahryoffa.com/ sryBoston at hotmail.com "Stupid rules are meant to be changed, not broken." [-sry on sci.space.shuttle, c. 1993] ---------------------------------------------------------------------- From jsiegel1 at optonline.net Tue Dec 2 08:06:24 2003 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Tue, 02 Dec 2003 08:06:24 -0500 Subject: [nycphp-talk] newbie - square one In-Reply-To: References: Message-ID: <3FCC8E50.10007@optonline.net> Sarah, "So for this link, I know I would put "somepage.php?params=value" cause this is the syntax of a query string and how one passes params via HTTP, but.... in the somepage.php, what do I do? Where do I put the first stuff? How do I extract "params" as a variable and get its user-selected value? The documentation seems to imply I would just put: " Here's the basics: You've got "somepage.php?params=value". To grab that value you could use something like the following on somepage.php: $sMyValue = $_GET['params']; You could put this at/near the top of the page within the php tags since, I assume, the remainder of the page is based on the user's selection. You'll want to use some sort of test to make sure that the value of $_GET['params'] is a legitimate value since a user can muck around with a value that is appended to a URL. So...if you used a switch statement, (http://us4.php.net/manual/en/control-structures.switch.php) you could have a default value to handle the case where the user has played around. Don't forget that PHP is server-side and Javascript is client-side. I believe some others on the list can address the issue of having the two communicate...in a sense. Please keep in mind, having been burnt badly by this, that some users will intentionally turn off Javascript "just to see what happens" so that, depending on what you're trying to do with the Javascript, it can really create a mess. Jeff Siegel -sry wrote: > Okay, here's a really, REALLY basic question. I always seem to > get the high-level stuff and miss the basics (kinda like Algebra > stumps me even with a calculator but Calculus I do in my head :*) > > I've RTFM at php.net - very nice docs, like the searchability and > index. Good online reference book. Alas, I want to do my very > first PHP page--well, okay, not the first, I did a "Hello world" and > phpinfo.php and those went fine and told me a bunch about my > installation, all well and interesting, but now I want to do something > I can actually USE. > > Let's say I have a page somepage.html and it has an onLoad(params) > function in the BODY tag that currently calls some JavaScript > funciton. Elsewhere on the page, I have a bunch of links to a PHP version > of somepage.html and want to pass it different "params" for each of the > links, each of which will "convert" the JavaScript/HTML behavior into > PHP/HTML behavior and do something different with the onLoad() > depending on which "params" value is clicked by the user. > > Never mind if this how to actually do it - I know I should just start > with a php page, but I want to do it this way to LEARN, okay? > If I change too many things at once, I will get lost on what is > actually happening; my debugging habits are old and fixed. I can > only change one thing at a time or I miss the problem completely. > > So for this link, I know I would put "somepage.php?params=value" > cause this is the syntax of a query string and how one passes params > via HTTP, but.... in the somepage.php, what do I do? Where do > I put the first stuff? How do I extract "params" as > a variable and get its user-selected value? > > The documentation seems to imply I would just put: > > $params=value; > ... > ?> > > and that the query string will have "created" the variable $params > and somehow PHP will "know" what's in the query string and > "value" will be defined...really? I don't have to extract some > ENV-VAR like old-fashioned CGI processing? > > And since the assignment I want to do is in the BODY tag, how > do I write the body tag with a PHP variable? like this: > > $params=value; > echo " ?> > > That didn't seem to do it for me so I must have misread or > misunderstood the docs. Enlighten my ignorant self, someone? > > -sry > ---------------------------------------------------------------------- > Sarah R. Yoffa > http://www.sarahryoffa.com/ > sryBoston at hotmail.com > "Stupid rules are meant to be changed, not broken." > [-sry on sci.space.shuttle, c. 1993] > ---------------------------------------------------------------------- > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > From jlacey at att.net Tue Dec 2 08:07:50 2003 From: jlacey at att.net (John Lacey) Date: Tue, 02 Dec 2003 06:07:50 -0700 Subject: [nycphp-talk] newbie - square one In-Reply-To: References: Message-ID: <3FCC8EA6.1080300@att.net> -sry wrote: > So for this link, I know I would put "somepage.php?params=value" > cause this is the syntax of a query string and how one passes params > via HTTP, but.... in the somepage.php, what do I do? Where do > I put the first stuff? How do I extract "params" as > a variable and get its user-selected value? > > The documentation seems to imply I would just put: > > $params=value; > ... > ?> > > And since the assignment I want to do is in the BODY tag, how > do I write the body tag with a PHP variable? like this: > > $params=value; > echo " ?> there's a lot going on here, but let's start with the body tag syntax example: > the above is php embedded in an html tag rather than html being "embedded" (echo) in a php statement so far as your debugging style, it seems to me that it is right on... I've always found that changing more than one variable at a time sometimes masks valuable information that could be gleaned with just a little more patience. try putting a value in the $onload variable and observe results -- oftentimes that will lead to your next question along the discovery process hope that helps a little John From jsiegel1 at optonline.net Tue Dec 2 09:04:47 2003 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Tue, 02 Dec 2003 09:04:47 -0500 Subject: [nycphp-talk] NYPHP PARTY TIME!! Message-ID: <3FCC9BFF.5050400@optonline.net> NYPHP is organizing a holiday party for the evening of December 16th and you're invited! Please let us know if you'd like to attend by sending an email to me off-list. We'll be sending out more details within the next few days. Jeff Siegel >From hans not junk at nyphp.com Tue Dec 2 09:31:34 2003 Return-Path: Received: from londo.swishmail.com (londo.swishmail.com [209.10.110.95]) by virtu.nyphp.org (Postfix) with ESMTP id A58F6A85E6 for ; Tue, 2 Dec 2003 09:31:34 -0500 (EST) Received: (qmail 6140 invoked by uid 89); 2 Dec 2003 14:31:34 -0000 Received: from unknown (HELO nyphp.com) (hans not junk at nyphp.com@128.122.155.151) by londo.swishmail.com with AES256-SHA encrypted SMTP; 2 Dec 2003 14:31:34 -0000 Message-ID: <3FCCA28D.4070706 at nyphp.com> Date: Tue, 02 Dec 2003 09:32:45 -0500 From: Hans Zaunere User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: NYPHP Talk Subject: Re: [nycphp-talk] security? we don't need no stinkin security! References: <20031202044036.34245.qmail at web14307.mail.yahoo.com> In-Reply-To: <20031202044036.34245.qmail at web14307.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: talk at lists.nyphp.org X-Mailman-Version: 2.1.2 Precedence: list Reply-To: NYPHP Talk List-Id: NYPHP Talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2003 14:31:35 -0000 Chris Shiflett wrote: > --- Daniel Convissor wrote: > >>phpBB search.php SQL Injection Vulnerability >>http://www.securityfocus.com/bid/9122 >>[Gee, you'd think that after already having so many vulnerabilities >>they would have gone through and fixed all their problems. Guess >>not.] > > > Yeah, someone really needs to write a forum in PHP that doesn't suck. > While they're at it, a CMS that doesn't suck would be nice, too. It's a > shame that there are Perl applications that fit these needs but no decent > PHP representation. I think the interesting thing is that these types of applications do exist in PHP. In passing, I've seen some excellent software, written in house, and kept private. It's really a matter of public domain stuff, and a sense of a strong - public - community. PHP vs Perl is akin to BSD vs Linux - we all know which one is better, but the BSD guys just don't care to talk about it so much :) In the end, this is what NYPHP - and now NYCBUG - seek to promote - community. H From bpang at bpang.com Tue Dec 2 09:52:59 2003 From: bpang at bpang.com (Brian Pang) Date: Tue, 02 Dec 2003 09:52:59 -0500 Subject: [nycphp-talk] newbie - square one Message-ID: I'm going to skip straight to the php. With this code, you are initializing $params as a variable with value. > $params=value; > ... > ?> However you are passing ?params=value in the query string. You can access the query string variable directly as $_GET['params']. > and that the query string will have "created" the variable $params > and somehow PHP will "know" what's in the query string and > "value" will be defined...really? I don't have to extract some > ENV-VAR like old-fashioned CGI processing? This only happens if register_globals is turned on in your php_ini. Don't rely on it. Do it the right way with $_GET['params']. Change this: > $params=value; > echo " ?> to: It's MUCH easier to drop PHP vars into html this way, rather than echoing out the full line with escaped quotes, etc. From tgales at tgaconnect.com Tue Dec 2 10:45:24 2003 From: tgales at tgaconnect.com (Tim Gales) Date: Tue, 2 Dec 2003 10:45:24 -0500 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <20031202044036.34245.qmail@web14307.mail.yahoo.com> Message-ID: <005b01c3b8eb$4dc7f040$bf8d3818@oberon1> Chris Shiflett wrote: "Yeah, someone really needs to write a forum in PHP that doesn't suck." and "It's a shame that there are Perl applications that fit these needs but no decent PHP representation." I have been meaning to take a look at the following: http://www.yabbse.org/ It is a php conversion of YABB at http://www.yabbforum.com/ YABB was done in Perl and is highly touted (at least at Tucows) YABBSE was done in PHP. What caught my eye was the following quote from the yabbse.org page: "I checked my bandwidth with YaBB SE and its over 2 days 338 mb. When I had YaBB gold it was close to a GIG a day" If the guy who said that is really on the level (I don't doubt his honesty but there may have been fewer users doing fewer things) that would mean PHP is approaching six times more efficient than Perl. I wish I could find time to check the two implementations to see where PHP is more efficient than Perl. T. Gales & Associates 'Helping People Connect with Technology' http://www.tgaconnect.com From shiflett at php.net Tue Dec 2 10:57:55 2003 From: shiflett at php.net (Chris Shiflett) Date: Tue, 2 Dec 2003 07:57:55 -0800 (PST) Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <005b01c3b8eb$4dc7f040$bf8d3818@oberon1> Message-ID: <20031202155755.35499.qmail@web14301.mail.yahoo.com> --- Tim Gales wrote: > I have been meaning to take a look at the following: > http://www.yabbse.org/ > > It is a php conversion of YABB That sounds interesting. I might go check out a demo. To be fair, FUDforum is pretty good. My complaints with it are: 1. Too complicated to use (maybe partly because of point 2) 2. Fugly! They need someone like Jeff Knight to completely redo the entire presentation layer. Underneath, it's really not so bad, and it's insanely fast. > What caught my eye was the following quote from the yabbse.org page: > "I checked my bandwidth with YaBB SE and its over 2 days 338 mb. > When I had YaBB gold it was close to a GIG a day" > > If the guy who said that is really on the level (I don't doubt his > honesty but there may have been fewer users doing fewer things) > that would mean PHP is approaching six times more efficient than > Perl. I don't think he means more efficient. Bandwidth usage like that only suggests that YaBB SE spits out less markup. That's a good thing, but it could (theoretically) take twice as long to do so. :-) Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ From joshmccormack at travelersdiary.com Tue Dec 2 11:04:16 2003 From: joshmccormack at travelersdiary.com (joshmccormack at travelersdiary.com) Date: Tue, 2 Dec 2003 10:04:16 -0600 (CST) Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <20031202155755.35499.qmail@web14301.mail.yahoo.com> Message-ID: On Tue, 2 Dec 2003, Chris Shiflett wrote: > To be fair, FUDforum is pretty good. My complaints with it are: > > 1. Too complicated to use (maybe partly because of point 2) > 2. Fugly! They need someone like Jeff Knight to completely redo the entire > presentation layer. > > Underneath, it's really not so bad, and it's insanely fast. > Chris FUDforum has a very interesting feature for meshing with mailing list programs, like Mailman. I agree it's pretty ugly. Josh From tgales at tgaconnect.com Tue Dec 2 11:20:33 2003 From: tgales at tgaconnect.com (Tim Gales) Date: Tue, 2 Dec 2003 11:20:33 -0500 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <20031202155755.35499.qmail@web14301.mail.yahoo.com> Message-ID: <005d01c3b8f0$39cb9150$bf8d3818@oberon1> Chris Shiflett writes: "> I don't think he means more efficient. Bandwidth usage like > that only suggests that YaBB SE spits out less markup. That's > a good thing, but it could (theoretically) take twice as long > to do so. :-)" I mean more efficient -- if you can get the same content out with less markup how else do you describe it (other than being more efficient) T. Gales & Associates 'Helping People Connect with Technology' http://www.tgaconnect.com From keith.richardson at thompsonhealth.com Tue Dec 2 11:21:00 2003 From: keith.richardson at thompsonhealth.com (Keith Richardson) Date: Tue, 2 Dec 2003 11:21:00 -0500 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <4A34D0947B38AF4D8629DA86655D5906915394@ffth-exc01.thompsonhealth.org> Message-ID: <4A34D0947B38AF4D8629DA86655D5906C131@ffth-exc01.thompsonhealth.org> I have used a lot of forums, and vbulletin seems the most feature-rific, and with 3.0 beta, uses better password encryption than just plain md5. its not free, but our forum community loves it. so we had to buy a new license when we moved domains :P ahh well. www.forumsx.net -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]On Behalf Of joshmccormack at travelersdiary.com Sent: Tuesday, December 02, 2003 11:04 AM To: NYPHP Talk Subject: RE: [nycphp-talk] security? we don't need no stinkin security! On Tue, 2 Dec 2003, Chris Shiflett wrote: > To be fair, FUDforum is pretty good. My complaints with it are: > > 1. Too complicated to use (maybe partly because of point 2) > 2. Fugly! They need someone like Jeff Knight to completely redo the entire > presentation layer. > > Underneath, it's really not so bad, and it's insanely fast. > Chris FUDforum has a very interesting feature for meshing with mailing list programs, like Mailman. I agree it's pretty ugly. Josh _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk From adam at trachtenberg.com Tue Dec 2 11:29:57 2003 From: adam at trachtenberg.com (Adam Maccabee Trachtenberg) Date: Tue, 2 Dec 2003 11:29:57 -0500 (EST) Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <005d01c3b8f0$39cb9150$bf8d3818@oberon1> References: <005d01c3b8f0$39cb9150$bf8d3818@oberon1> Message-ID: On Tue, 2 Dec 2003, Tim Gales wrote: > Chris Shiflett writes: > "> I don't think he means more efficient. Bandwidth usage like > > that only suggests that YaBB SE spits out less markup. That's > > a good thing, but it could (theoretically) take twice as long > > to do so. :-)" > > I mean more efficient -- if you can get the same content > out with less markup how else do you describe it > (other than being more efficient) You're both right! Getting the same content with less markup is more bandwidth efficient, but if it requires twice as many CPU cycles to generate the output then there may also be a decrease in processing efficiency. Chris's point was that you can't measure the net efficiency of the system by only looking at one source. -adam -- adam at trachtenberg.com author of o'reilly's php cookbook avoid the holiday rush, buy your copy today! From shiflett at php.net Tue Dec 2 11:38:13 2003 From: shiflett at php.net (Chris Shiflett) Date: Tue, 2 Dec 2003 08:38:13 -0800 (PST) Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <005d01c3b8f0$39cb9150$bf8d3818@oberon1> Message-ID: <20031202163813.17076.qmail@web14302.mail.yahoo.com> --- Tim Gales wrote: > I mean more efficient -- if you can get the same content > out with less markup how else do you describe it (other > than being more efficient) Maybe it's just a difference of interpretation, but let's take some clearer examples: foo.php: bar.php: I would say that bar.php is more efficient, but foo.php produces less markup. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ From Kbedi at inta.org Tue Dec 2 11:45:31 2003 From: Kbedi at inta.org (Kshitij Bedi) Date: Tue, 2 Dec 2003 11:45:31 -0500 Subject: [nycphp-talk] Help with mysql select within a select query Message-ID: Hi there can someone tell me why this query below is not working in mysql 4.0.16 its a select within a select query. If this syntax below is not correct, is there a work around for this. Considering tblA has alot of fields including ID(Primary Key) and ID1 as another field Query: Select * from tblA where id in (select max(id) from tblA where id>=76 and id<=109 group by id1) Regards, Kshitij Bedi Web Admin International Trademark Association From shiflett at php.net Tue Dec 2 11:45:49 2003 From: shiflett at php.net (Chris Shiflett) Date: Tue, 2 Dec 2003 08:45:49 -0800 (PST) Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: Message-ID: <20031202164549.39510.qmail@web14308.mail.yahoo.com> --- Adam Maccabee Trachtenberg wrote: > Getting the same content with less markup is more bandwidth > efficient, but if it requires twice as many CPU cycles to > generate the output then there may also be a decrease in > processing efficiency. That's a good point. I guess I always think of "efficient" referring to performance (processing performance, to be specific). Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ From henry at beewh.com Tue Dec 2 11:56:48 2003 From: henry at beewh.com (Henry Ponce) Date: Tue, 2 Dec 2003 11:56:48 -0500 Subject: [nycphp-talk] Help with mysql select within a select query In-Reply-To: References: Message-ID: <200312021156.48424.henry@beewh.com> mysql doesn't support subselects. try using another type of query... you can check in google, there is plenty of info. Henry From nyphp at websapp.com Tue Dec 2 12:08:30 2003 From: nyphp at websapp.com (Daniel Kushner) Date: Tue, 2 Dec 2003 12:08:30 -0500 Subject: [nycphp-talk] Apache Auth question Message-ID: Hey, A directory has an .htaccess with basic httpd authentication. Example: AuthType Basic AuthName "By Invitation Only" AuthUserFile /usr/local/apache/passwd/passwords Require user rbowen sungo How can this authentication be excluded for a subdirectory? Best, Daniel >From hans not junk at nyphp.com Tue Dec 2 12:13:39 2003 Return-Path: Received: from londo.swishmail.com (londo.swishmail.com [209.10.110.95]) by virtu.nyphp.org (Postfix) with ESMTP id ED1A2A85FD for ; Tue, 2 Dec 2003 12:13:38 -0500 (EST) Received: (qmail 57073 invoked by uid 89); 2 Dec 2003 17:13:38 -0000 Received: from unknown (HELO nyphp.com) (hans not junk at nyphp.com@128.122.155.151) by londo.swishmail.com with AES256-SHA encrypted SMTP; 2 Dec 2003 17:13:38 -0000 Message-ID: <3FCCC889.3060103 at nyphp.com> Date: Tue, 02 Dec 2003 12:14:49 -0500 From: Hans Zaunere User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: NYPHP Talk Subject: Re: [nycphp-talk] security? we don't need no stinkin security! References: <20031202163813.17076.qmail at web14302.mail.yahoo.com> In-Reply-To: <20031202163813.17076.qmail at web14302.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: talk at lists.nyphp.org X-Mailman-Version: 2.1.2 Precedence: list Reply-To: NYPHP Talk List-Id: NYPHP Talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2003 17:13:39 -0000 Chris Shiflett wrote: > --- Tim Gales wrote: > >>I mean more efficient -- if you can get the same content >>out with less markup how else do you describe it (other >>than being more efficient) > > > Maybe it's just a difference of interpretation, but let's take some > clearer examples: > > foo.php: > sleep(5); > echo 'foo'; > ?> > > bar.php: > sleep(1); > echo 'barbarbarbarbar'; > ?> > > I would say that bar.php is more efficient, but foo.php produces less > markup. Not to nit-pick, but why would bar.php be more efficient? foo.php is sleeping, thus taking no CPU cycles. Maybe if foo.php was for( $i = 0; $i < 1000000000; ++$i ); echo 'foo'; ? :) H >From hans not junk at nyphp.com Tue Dec 2 12:35:22 2003 Return-Path: Received: from londo.swishmail.com (londo.swishmail.com [209.10.110.95]) by virtu.nyphp.org (Postfix) with ESMTP id A49CFA85FD for ; Tue, 2 Dec 2003 12:35:22 -0500 (EST) Received: (qmail 63966 invoked by uid 89); 2 Dec 2003 17:35:22 -0000 Received: from unknown (HELO nyphp.com) (hans not junk at nyphp.com@128.122.155.151) by londo.swishmail.com with AES256-SHA encrypted SMTP; 2 Dec 2003 17:35:22 -0000 Message-ID: <3FCCCDA1.8010203 at nyphp.com> Date: Tue, 02 Dec 2003 12:36:33 -0500 From: Hans Zaunere User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: NYPHP Talk Subject: Re: [nycphp-talk] translating behaviors from JavaScript to PHP References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: talk at lists.nyphp.org X-Mailman-Version: 2.1.2 Precedence: list Reply-To: NYPHP Talk List-Id: NYPHP Talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2003 17:35:23 -0000 -sry wrote: > [ repost - sent to the wrong list ] > > >>Hiya listies, >> >>Seems like PHP is a bit of a sledgehammer for web design, >>but I like it so far :) Sledgehammer? Maybe an ice-pic... >>I'm currently giving my brain a rest from the Flash/text >>protection thingy and revisiting a CSS design issue I'm >>trying to learn (positioning vs tables). I'm doing this vis a >>vis my personal web site. Since I like to keep code as >>modularized as possible, I separated out my JavaScript >>(for mouseover behavior and other sillyness) into a .js file. >>As a mechanism for putting my hands on some PHP as I >>learn it, I figured I'd take the existing page design and >>behavior and "translate" it into a PHP implementation. Keep in mind that PHP runs strictly on the server - the browser is never aware of any PHP code. Granted, you can use PHP to generate the client-side code the browser then reads and parses, but translating between Javascript and PHP - in a linear sense - is not possible. H From tgales at tgaconnect.com Tue Dec 2 12:46:58 2003 From: tgales at tgaconnect.com (Tim Gales) Date: Tue, 2 Dec 2003 12:46:58 -0500 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: Message-ID: <006d01c3b8fc$496fd100$bf8d3818@oberon1> Adam writes: "You're both right!" Thanks, I mostly deal with systems that are are i/o bound (with cpu power to spare) -- where it is just taken for granted that it is worth spending cpu time to compress something before sending it out. I have gotten into the (bad) habit of calling that 'more efficient'. Like the man in orthopedic shoes said, "I stand corrected." T. Gales & Associates 'Helping People Connect with Technology' http://www.tgaconnect.com > From jlacey at att.net Tue Dec 2 12:59:16 2003 From: jlacey at att.net (John Lacey) Date: Tue, 02 Dec 2003 10:59:16 -0700 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <20031202044036.34245.qmail@web14307.mail.yahoo.com> References: <20031202044036.34245.qmail@web14307.mail.yahoo.com> Message-ID: <3FCCD2F4.2030302@att.net> Chris Shiflett wrote: > --- Daniel Convissor wrote: > >>phpBB search.php SQL Injection Vulnerability >>http://www.securityfocus.com/bid/9122 >>[Gee, you'd think that after already having so many vulnerabilities >>they would have gone through and fixed all their problems. Guess >>not.] > > > Yeah, someone really needs to write a forum in PHP that doesn't suck. > While they're at it, a CMS that doesn't suck would be nice, too. It's a > shame that there are Perl applications that fit these needs but no decent > PHP representation. > and speaking of that, BB's CMS's and the like have very well-defined things that they "need to do"... wouldn't it be nice if well-designed secure components (pcom?) were available that one could go to the 'lego box' and pull out what you need to put it together... From nyphp at enobrev.com Tue Dec 2 13:01:56 2003 From: nyphp at enobrev.com (Mark Armendariz) Date: Tue, 2 Dec 2003 13:01:56 -0500 Subject: [nycphp-talk] Help with mysql select within a select query In-Reply-To: <200312021156.48424.henry@beewh.com> Message-ID: > mysql doesn't support subselects. try using another type of query... I was under the impression that you could in the where clause, although I'm not sure if you can use it with an 'in' statement. I know you can't use it in the SELECT part of a statement (as a field), though. In the manual http://www.mysql.com/doc/en/Subqueries.html And a tutorial http://www.devshed.com/Server_Side/MySQL/MySQL_Subqueries -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Henry Ponce Sent: Tuesday, December 02, 2003 11:57 AM To: NYPHP Talk Subject: Re: [nycphp-talk] Help with mysql select within a select query mysql doesn't support subselects. try using another type of query... you can check in google, there is plenty of info. Henry _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk From tgales at tgaconnect.com Tue Dec 2 13:18:50 2003 From: tgales at tgaconnect.com (Tim Gales) Date: Tue, 2 Dec 2003 13:18:50 -0500 Subject: [nycphp-talk] Help with mysql select within a select query In-Reply-To: Message-ID: <006e01c3b900$bf9ecda0$bf8d3818@oberon1> Mark Armendariz writes: "In the manual http://www.mysql.com/doc/en/Subqueries.html" When reading or quoting from the manual, be careful to check the version numbers of the MySQL to which you want to apply information from the documentation -- some features may not be supported in earlier versions. T. Gales & Associates 'Helping People Connect with Technology' http://www.tgaconnect.com From nyphp at enobrev.com Tue Dec 2 13:34:48 2003 From: nyphp at enobrev.com (Mark Armendariz) Date: Tue, 2 Dec 2003 13:34:48 -0500 Subject: [nycphp-talk] Help with mysql select within a select query In-Reply-To: <006e01c3b900$bf9ecda0$bf8d3818@oberon1> Message-ID: A HA.. Good catch.. A bit of pre-coffee dyslexia (saw 4.1, not 4.0)... My apologies. -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Tim Gales Sent: Tuesday, December 02, 2003 1:19 PM To: 'NYPHP Talk' Subject: RE: [nycphp-talk] Help with mysql select within a select query Mark Armendariz writes: "In the manual http://www.mysql.com/doc/en/Subqueries.html" When reading or quoting from the manual, be careful to check the version numbers of the MySQL to which you want to apply information from the documentation -- some features may not be supported in earlier versions. T. Gales & Associates 'Helping People Connect with Technology' http://www.tgaconnect.com _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk From lists at prusak.com Tue Dec 2 13:42:15 2003 From: lists at prusak.com (Ophir Prusak) Date: Tue, 2 Dec 2003 13:42:15 -0500 Subject: [nycphp-talk] security? we don't need no stinkin security! References: <006d01c3b8fc$496fd100$bf8d3818@oberon1> Message-ID: <01e801c3b904$0916c200$5356a8c0@CPXPDEV10> It's all a question of how you define efficient in regards to serving web pages. Some people might says it's much resources you use. Some people might say it's how long it takes to serve a web page. In my book, it's all about how many web pages per second I can serve AND how long it takes to serve a page. If solution A has better numbers for both criteria than solution B, then I'd say it's more efficient. If solution A has better numbers than solution B for one of the criteria but worse numbers for the other criteria, then it's really a question of what's important to you. ophir From jsiegel1 at optonline.net Tue Dec 2 14:50:22 2003 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Tue, 02 Dec 2003 14:50:22 -0500 Subject: [nycphp-talk] NYPHP Holiday Party Menu & Venue!!! Message-ID: <3FCCECFE.40604@optonline.net> The NYPHP Holiday Party will be on December 16th at 6:30pm at the Hard Rock Cafe, 221 West 57th Street, New York. The cost is $20.00 per person to be paid at the door. The menu for the party is listed below. You *must* let us know if you are going to attend so please contact me off-list so I can add your name to the guest list. Jeff Siegel *******The Party Menu************ CHOICE OF ENTREES: HRC Country Char-Broiled Burger with Cheese and/or Bacon HRC Natural Veggie Burger Grilled Chicken Breast Sandwich HRC Caesar Salad Pig Sandwich DESSERT: Homestyle Chocolate Cake CHOICE OF BEVERAGE: Coffee, Tea or Soft Drink Alcoholic beverages are not included. Note: Sandwiches and Burger Platters include french fries, lettuce, tomato and red onion. From dmintz at davidmintz.org Tue Dec 2 14:58:57 2003 From: dmintz at davidmintz.org (David Mintz) Date: Tue, 2 Dec 2003 14:58:57 -0500 (EST) Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <3FCCD2F4.2030302@att.net> Message-ID: On Tue, 2 Dec 2003, John Lacey wrote: > > Chris Shiflett wrote: > > > > Yeah, someone really needs to write a forum in PHP that doesn't suck. > > While they're at it, a CMS that doesn't suck would be nice, too. It's a > > shame that there are Perl applications that fit these needs but no decent > > PHP representation. > > > > and speaking of that, BB's CMS's and the like have very > well-defined things that they "need to do"... wouldn't it be > nice if well-designed secure components (pcom?) were > available that one could go to the 'lego box' and pull out > what you need to put it together... > That's why, after a fair amount of poking around, I've decided to go with Moveable Type (http://moveabletype.org/) as my blogware with which to join this latest craze in narcissism and self-indulgence. I found it encouraging to read that it requires a whole slew of well-exercised, mature CPAN modules. To me that means the developers are not reinventing the proverbial wheel and compromising security, reliability, etc., in the process. (Oh yeah, I also used a little ad hominem non-reasoning: that Jeremy Zawodny dude, who seems to know a lot of stuff judging from his writings, really likes PHP, yet he uses MT.) --- David Mintz http://davidmintz.org/ ATTN Everybody: dmintz at panix.com will be unplugged as of 01-Dec-2003! Please use dmintz at davidmintz.org "Anybody else got a problem with Webistics?" Sopranos 24:17 From dmintz at davidmintz.org Tue Dec 2 15:02:34 2003 From: dmintz at davidmintz.org (David Mintz) Date: Tue, 2 Dec 2003 15:02:34 -0500 (EST) Subject: [nycphp-talk] Help with mysql select within a select query In-Reply-To: Message-ID: On Tue, 2 Dec 2003, Mark Armendariz wrote: > > I was under the impression that you could in the where clause, although I'm > not sure if you can use it with an 'in' statement. I know you can't use it > in the SELECT part of a statement (as a field), though. > http://www.mysql.com/doc/en/Subqueries.html seems to say subqueries are supported as of version 4.1 --- David Mintz http://davidmintz.org/ ATTN Everybody: dmintz at panix.com will be unplugged as of 01-Dec-2003! Please use dmintz at davidmintz.org "Anybody else got a problem with Webistics?" Sopranos 24:17 From dmintz at davidmintz.org Tue Dec 2 15:40:29 2003 From: dmintz at davidmintz.org (David Mintz) Date: Tue, 2 Dec 2003 15:40:29 -0500 (EST) Subject: [nycphp-talk] PEAR DB_Cache question In-Reply-To: Message-ID: I've been studying the recipe in the Cookbook, which is the closest thing to documentation that I've been able to find for DB_Cache, other than in the source. So here's what I don't understand. Say you're using the 'file' container -- a disk-based cache. When you call the constructor like so $db = new Cache_DB('file',array('cache_dir'=>'/my/cache_dir/'),86400); you're telling it where to cache data. Fine. Then you do a query -- call it query_1. Suppose in the course of the same script you want to cache the results of another query_2. Further suppose that at some point you want to be able to flush() the cached results of query_1, but not query_2. If you just say flush('db_cache') then you flush the cached results of ~both~ queries. Are we supposed to set cache_dir to different values for each query before querying and/or calling flush? I haven't found any setter method for doing that, and although I realize that in PHP 4 you can can access object variables directly, I wonder if code written that way might break in PHP 5. I guess you could also create a new Cache_DB instance with different arguments for each query, but that seems wasteful. I hope this is coherent -- if I sound confused it's because I am confused. The more general problem is that my application relies on some MySQL tables that get updated many times a day, and some tables that get updated a few times a year. Hence my interest in DB_Cache. Many TIA, --- David Mintz http://davidmintz.org/ ATTN Everybody: dmintz at panix.com will be unplugged as of 01-Dec-2003! Please use dmintz at davidmintz.org "Anybody else got a problem with Webistics?" Sopranos 24:17 From adam at trachtenberg.com Tue Dec 2 16:16:23 2003 From: adam at trachtenberg.com (Adam Maccabee Trachtenberg) Date: Tue, 2 Dec 2003 16:16:23 -0500 (EST) Subject: [nycphp-talk] PEAR DB_Cache question In-Reply-To: References: Message-ID: On Tue, 2 Dec 2003, David Mintz wrote: > I've been studying the recipe in the Cookbook, which is the closest thing > to documentation that I've been able to find for DB_Cache, other than in > the source. I've often found that PHP Cookbook is the only documention for PEAR packages. Of course, it means when people ask me questions about the recipes, I'm forced to re-read to source to rememeber why I wrote what I did. Even worse, Dave wrote that recipe. :) > you're telling it where to cache data. Fine. Then you do a query -- call > it query_1. Suppose in the course of the same script you want to cache the > results of another query_2. Further suppose that at some point you want to > be able to flush() the cached results of query_1, but not query_2. If you > just say flush('db_cache') then you flush the cached results of ~both~ > queries. Right. I believe the assumption is that you want to flush the cache when you update your data and that all datasets have similar update windows. > The more general problem is that my application relies on some MySQL > tables that get updated many times a day, and some tables that get updated > a few times a year. Hence my interest in DB_Cache. Can't you set up two caches? One for the frequently updated data and one for the few times a year updated data? Or only cache the few times a year data and don't bother caching the frequently updated data at all? -adam -- adam at trachtenberg.com author of o'reilly's php cookbook avoid the holiday rush, buy your copy today! From ttoomey at ydnt.com Tue Dec 2 16:23:01 2003 From: ttoomey at ydnt.com (Tim Toomey) Date: Tue, 2 Dec 2003 15:23:01 -0600 Subject: [nycphp-talk] NYPHP Holiday Party Menu & Venue!!! References: <3FCCECFE.40604@optonline.net> Message-ID: <009401c3b91a$7ac51350$7600a8c0@timmerslaptop> I want to go buy I'm in Chicago :( -Tim ----- Original Message ----- From: "Jeff Siegel" To: "NYPHP Talk" Sent: Tuesday, December 02, 2003 1:50 PM Subject: [nycphp-talk] NYPHP Holiday Party Menu & Venue!!! > The NYPHP Holiday Party will be on December 16th at 6:30pm at the Hard > Rock Cafe, 221 West 57th Street, New York. The cost is $20.00 per person > to be paid at the door. The menu for the party is listed below. You > *must* let us know if you are going to attend so please contact me > off-list so I can add your name to the guest list. > > Jeff Siegel > > *******The Party Menu************ > > CHOICE OF ENTREES: > HRC Country Char-Broiled Burger with Cheese and/or Bacon > HRC Natural Veggie Burger > Grilled Chicken Breast Sandwich > HRC Caesar Salad > Pig Sandwich > > DESSERT: > Homestyle Chocolate Cake > > CHOICE OF BEVERAGE: > Coffee, Tea or Soft Drink > > Alcoholic beverages are not included. > > Note: Sandwiches and Burger Platters include french fries, lettuce, > tomato and red onion. > > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk From dmintz at davidmintz.org Tue Dec 2 16:40:17 2003 From: dmintz at davidmintz.org (David Mintz) Date: Tue, 2 Dec 2003 16:40:17 -0500 (EST) Subject: [nycphp-talk] PEAR DB_Cache question In-Reply-To: Message-ID: On Tue, 2 Dec 2003, Adam Maccabee Trachtenberg wrote: > On Tue, 2 Dec 2003, David Mintz wrote: > > > I've been studying the recipe in the Cookbook, which is the closest thing > > to documentation that I've been able to find for DB_Cache, other than in > > the source. > > I've often found that PHP Cookbook is the only documention for PEAR > packages. Of course, it means when people ask me questions about the > recipes, I'm forced to re-read to source to rememeber why I wrote what > I did. Even worse, Dave wrote that recipe. :) Ha! Speaking of which, in case you're considering coming out with another edition someday, a suggestion/question: wouldn't you want to use $db->setConnection($dsn) in this recipe, which "[registers] a database connection for connect on demand"? I can't understand why anyone would want to use the unconditional connect() when they're only planning to SELECT, if the whole point is to save db overhead. (Then again I've hardly mastered the internals ergo don't know what I'm talking about (-: ) > > > If you just say flush('db_cache') then you flush the cached > > results of ~both~ queries. > > > Right. I believe the assumption is that you want to flush the cache > when you update your data and that all datasets have similar update windows. > > > > The more general problem is that my application relies on some MySQL > > tables that get updated many times a day, and some tables that get updated > > a few times a year. Hence my interest in DB_Cache. > > Can't you set up two caches? One for the frequently updated data and > one for the few times a year updated data? Or only cache the few times > a year data and don't bother caching the frequently updated data at > all? > Yes, certainly. I plan not to cache the frequently-updated at all, and cache the quasi-static, but I guess I was trying to tune the caching more finely than this class thinks I need to. So it seems the answer is, blow away the whole cache when you flush(), and don't worry about it, you're still realizing big big savings. Thanks again Adam. Love that book! Now back to the kitchen. --- David Mintz http://davidmintz.org/ ATTN Everybody: dmintz at panix.com will be unplugged as of 01-Dec-2003! Please use dmintz at davidmintz.org "Anybody else got a problem with Webistics?" Sopranos 24:17 From adam at trachtenberg.com Tue Dec 2 16:45:43 2003 From: adam at trachtenberg.com (Adam Maccabee Trachtenberg) Date: Tue, 2 Dec 2003 16:45:43 -0500 (EST) Subject: [nycphp-talk] PEAR DB_Cache question In-Reply-To: References: Message-ID: On Tue, 2 Dec 2003, David Mintz wrote: > Ha! Speaking of which, in case you're considering coming out with another > edition someday, a suggestion/question: wouldn't you want to use > $db->setConnection($dsn) in this recipe, which "[registers] a database > connection for connect on demand"? I can't understand why anyone would > want to use the unconditional connect() when they're only planning to > SELECT, if the whole point is to save db overhead. (Then again I've hardly > mastered the internals ergo don't know what I'm talking about (-: ) Thanks for the tip. I will add this to this giant TODO list for the Second Edition. FWIW, here are the most likely answers to any similar questions: 1) That feature wasn't available when we wrote the book. 2) We weren't smart enough to realize that feature was available when we wrote the book. Usually, if we saw something you shouldn't do, we mentioned it. If a feature is omitted, and it seems smart to use it, you probably should. :) -adam -- adam at trachtenberg.com author of o'reilly's php cookbook avoid the holiday rush, buy your copy today! From sryBoston at hotmail.com Wed Dec 3 07:43:11 2003 From: sryBoston at hotmail.com (-sry) Date: Wed, 3 Dec 2003 07:43:11 -0500 Subject: [nycphp-talk] translating behaviors from JavaScript to PHP References: <3FCCCDA1.8010203@nyphp.com> Message-ID: On Tuesday, December 02, 2003 12:36 PM "Hans Zaunere" > -sry wrote: > > [ repost - sent to the wrong list ] > > [snip] > >>vis my personal web site. Since I like to keep code as > >>modularized as possible, I separated out my JavaScript > >>(for mouseover behavior and other sillyness) into a .js file. > >>As a mechanism for putting my hands on some PHP as I > >>learn it, I figured I'd take the existing page design and > >>behavior and "translate" it into a PHP implementation. > > Keep in mind that PHP runs strictly on the server - the > browser is never aware of any PHP code. Granted, you > can use PHP to generate the client-side code the browser > then reads and parses, but translating between Javascript > and PHP - in a linear sense - is not possible. I guess my subject line wording is a bit misleading. I don't mean a LITERAL translation. I meant to say I am trying to translate my thinking into how to design the same results/behavior with a different approach, a PHP approach. There is always more than one way to skin any cat and I am not used to thinking in PHP terms--as is apparent from my newbie post where I was embedding HTML in PHP rather than PHP into HTML which seems obvious now that some of you have pointed it out to me :-) Thanks for the tips, guys. I'm asking for more "tips" like this, how to approach, in PHP, doing things like overwriting DIVs to dynamically load content or how to replace stylesheets based on user prefs using PHP rather than JS...such as the JS code described at: http://www.alistapart.com/articles/alternate/ Maybe some of these behaviors are simply not appropriate for a PHP implementation - I dunno - that's why I'm asking for your opinions :) Maybe it'd better to ask, how would I go about "retooling" existing functionality from JS to PHP? Assuming the functionality is *not* specifically better-suited for a client-side scripting. Better way to ask? :) -sry From keith.richardson at thompsonhealth.com Wed Dec 3 07:54:54 2003 From: keith.richardson at thompsonhealth.com (Keith Richardson) Date: Wed, 3 Dec 2003 07:54:54 -0500 Subject: [nycphp-talk] translating behaviors from JavaScript to PHP In-Reply-To: <4A34D0947B38AF4D8629DA86655D59069153AD@ffth-exc01.thompsonhealth.org> Message-ID: <4A34D0947B38AF4D8629DA86655D5906C2A2@ffth-exc01.thompsonhealth.org> In my opinion, to accomplish that I would probabally use sessions, or a get variable. in the top, you would have something like this: Then where you display the style sheet, you would do something like this in the html code: So when you have a list of stylesheets to use, it just reloads the page, say index.php, as index.php?stylesheet=red - and it will load the red style sheet. If they did not enter a style sheet, or it is not one of your options, then it would load the default style sheet. the thing with this one, is that you have to pass the get variable to each page that you want to have customized style sheets, which can be a lot of reworking, because you have to add something like this to each link: Links This prints out the ?stylesheet=red (as an example) after the link, if red is selected. if there is no option, it wont print anything after the link. The other way to do it is with sessions, which for me is easier. on the top of the page, do something like Then where you display the style sheet, you would do something like this in the html code: This way, you can change the stylesheet with the GET request, say page.php?stylesheet=red - and it will change the stylesheet in the users session. Since the sessions are saved for the browser session, it will keep the session variables for each page that the user loads, and thus keeping their selected style with each page, without having to add any more get requests. If it were me, I would add the php code that checks the session variables/get variables in an include file, say change_css.php - and include it on the top of every file, or in your header file. This way its easier to add another option for a different CSS. -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]On Behalf Of -sry Sent: Wednesday, December 03, 2003 7:43 AM To: NYPHP Talk Subject: Re: [nycphp-talk] translating behaviors from JavaScript to PHP On Tuesday, December 02, 2003 12:36 PM "Hans Zaunere" > -sry wrote: > > [ repost - sent to the wrong list ] > > [snip] > >>vis my personal web site. Since I like to keep code as > >>modularized as possible, I separated out my JavaScript > >>(for mouseover behavior and other sillyness) into a .js file. > >>As a mechanism for putting my hands on some PHP as I > >>learn it, I figured I'd take the existing page design and > >>behavior and "translate" it into a PHP implementation. > > Keep in mind that PHP runs strictly on the server - the > browser is never aware of any PHP code. Granted, you > can use PHP to generate the client-side code the browser > then reads and parses, but translating between Javascript > and PHP - in a linear sense - is not possible. I guess my subject line wording is a bit misleading. I don't mean a LITERAL translation. I meant to say I am trying to translate my thinking into how to design the same results/behavior with a different approach, a PHP approach. There is always more than one way to skin any cat and I am not used to thinking in PHP terms--as is apparent from my newbie post where I was embedding HTML in PHP rather than PHP into HTML which seems obvious now that some of you have pointed it out to me :-) Thanks for the tips, guys. I'm asking for more "tips" like this, how to approach, in PHP, doing things like overwriting DIVs to dynamically load content or how to replace stylesheets based on user prefs using PHP rather than JS...such as the JS code described at: http://www.alistapart.com/articles/alternate/ Maybe some of these behaviors are simply not appropriate for a PHP implementation - I dunno - that's why I'm asking for your opinions :) Maybe it'd better to ask, how would I go about "retooling" existing functionality from JS to PHP? Assuming the functionality is *not* specifically better-suited for a client-side scripting. Better way to ask? :) -sry _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk From tgales at tgaconnect.com Wed Dec 3 08:07:51 2003 From: tgales at tgaconnect.com (Tim Gales) Date: Wed, 3 Dec 2003 08:07:51 -0500 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <3FCCD2F4.2030302@att.net> Message-ID: <009a01c3b99e$75995420$bf8d3818@oberon1> John Lacey writes: ".. wouldn't it be nice if well-designed secure components (pcom?) were available that one could go to the 'lego box' and pull out what you need to put it together..." Are you saying that Pear doesn't dot this? T. Gales & Associates 'Helping People Connect with Technology' http://www.tgaconnect.com From sryBoston at hotmail.com Wed Dec 3 08:15:59 2003 From: sryBoston at hotmail.com (-sry) Date: Wed, 3 Dec 2003 08:15:59 -0500 Subject: [nycphp-talk] translating behaviors from JavaScript to PHP References: <4A34D0947B38AF4D8629DA86655D5906C2A2@ffth-exc01.thompsonhealth.org> Message-ID: Wow, Keith, thanks for the lesson!! This is *EXACTLY* what I wanted - a comparison of approaches and the PHP solution to a parallel JS situation. And I agree, sessions are much easier to manage for anything that forces a reload of a page otherwise. Will be studying this and probably trying something out with it this weekend. Stay tuned... :) -sry ----- Original Message ----- From: "Keith Richardson" To: "'NYPHP Talk'" Sent: Wednesday, December 03, 2003 7:54 AM Subject: RE: [nycphp-talk] translating behaviors from JavaScript to PHP > In my opinion, to accomplish that I would probabally use sessions, or a get > variable. > > in the top, you would have something like this: > > > $current_stylesheet = "default.css"; > > if (!empty($_GET['stylesheet'])) > { > switch($_GET['stylesheet']) > { > case "red": > $current_stylesheet = "red.css"; > break; > case "blue": > $current_stylesheet = "blue.css"; > break; > } > } > ?> > Then where you display the style sheet, you would do something like this in > the html code: > > type="text/css" href="" /> > > > So when you have a list of stylesheets to use, it just reloads the page, say > index.php, as index.php?stylesheet=red - and it will load the red style > sheet. If they did not enter a style sheet, or it is not one of your > options, then it would load the default style sheet. > > the thing with this one, is that you have to pass the get variable to each > page that you want to have customized style sheets, which can be a lot of > reworking, because you have to add something like this to each link: > print("?stylesheet=".$_GET['stylesheet']); } ?>">Links > > This prints out the ?stylesheet=red (as an example) after the link, if red > is selected. if there is no option, it wont print anything after the link. > > The other way to do it is with sessions, which for me is easier. > > on the top of the page, do something like > session_name("mysite.com_css"); > session_start(); > > if (empty($_SESSION['stylesheet'])) > $_SESSION['stylesheet'] = "default.css"; > > if (!empty($_GET['stylesheet'])) > { > switch($_GET['stylesheet']) > { > case "red": > $_SESSION['stylesheet'] = "red.css"; > break; > case "blue": > $_SESSION['stylesheet'] = "blue.css"; > break; > } > } > > ?> > > Then where you display the style sheet, you would do something like this in > the html code: > > type="text/css" href="" /> > > This way, you can change the stylesheet with the GET request, say > page.php?stylesheet=red - and it will change the stylesheet in the users > session. Since the sessions are saved for the browser session, it will keep > the session variables for each page that the user loads, and thus keeping > their selected style with each page, without having to add any more get > requests. > > If it were me, I would add the php code that checks the session > variables/get variables in an include file, say change_css.php - and include > it on the top of every file, or in your header file. This way its easier to > add another option for a different CSS. > > -----Original Message----- > From: talk-bounces at lists.nyphp.org > [mailto:talk-bounces at lists.nyphp.org]On Behalf Of -sry > Sent: Wednesday, December 03, 2003 7:43 AM > To: NYPHP Talk > Subject: Re: [nycphp-talk] translating behaviors from JavaScript to PHP > > > > On Tuesday, December 02, 2003 12:36 PM > "Hans Zaunere" > > -sry wrote: > > > [ repost - sent to the wrong list ] > > > [snip] > > >>vis my personal web site. Since I like to keep code as > > >>modularized as possible, I separated out my JavaScript > > >>(for mouseover behavior and other sillyness) into a .js file. > > >>As a mechanism for putting my hands on some PHP as I > > >>learn it, I figured I'd take the existing page design and > > >>behavior and "translate" it into a PHP implementation. > > > > Keep in mind that PHP runs strictly on the server - the > > browser is never aware of any PHP code. Granted, you > > can use PHP to generate the client-side code the browser > > then reads and parses, but translating between Javascript > > and PHP - in a linear sense - is not possible. > > I guess my subject line wording is a bit misleading. I don't > mean a LITERAL translation. I meant to say I am trying > to translate my thinking into how to design the same > results/behavior with a different approach, a PHP approach. > There is always more than one way to skin any cat and I > am not used to thinking in PHP terms--as is apparent from > my newbie post where I was embedding HTML in PHP > rather than PHP into HTML which seems obvious now > that some of you have pointed it out to me :-) Thanks for > the tips, guys. > > I'm asking for more "tips" like this, how to approach, in > PHP, doing things like overwriting DIVs to dynamically > load content or how to replace stylesheets based on > user prefs using PHP rather than JS...such as the JS > code described at: > > http://www.alistapart.com/articles/alternate/ > > Maybe some of these behaviors are simply not appropriate > for a PHP implementation - I dunno - that's why I'm asking > for your opinions :) > > Maybe it'd better to ask, how would I go about "retooling" > existing functionality from JS to PHP? Assuming the > functionality is *not* specifically better-suited for a client-side > scripting. Better way to ask? :) > > -sry > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > From sryBoston at hotmail.com Wed Dec 3 08:18:04 2003 From: sryBoston at hotmail.com (-sry) Date: Wed, 3 Dec 2003 08:18:04 -0500 Subject: [nycphp-talk] newbie - square one References: <3FCC8E50.10007@optonline.net> Message-ID: Thanks to Jeff, John and Brian for the getting me started tutorials here - and for straightening me out on what to embed in what ;-) Yes, I am dyslexic but I think it's more than I'm not used to thinking in terms of a parsed language, having not used Perl for more than 4 or 5 years. Gotta get my brain back into it. Thanks again for all your help guys!! -sry From csnyder at chxo.com Wed Dec 3 08:34:05 2003 From: csnyder at chxo.com (Chris Snyder) Date: Wed, 03 Dec 2003 08:34:05 -0500 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <009a01c3b99e$75995420$bf8d3818@oberon1> References: <009a01c3b99e$75995420$bf8d3818@oberon1> Message-ID: <3FCDE64D.10606@chxo.com> Tim Gales wrote: >John Lacey writes: >".. wouldn't it be > nice if well-designed secure components (pcom?) were > available that one could go to the 'lego box' and pull out > what you need to put it together..." > >Are you saying that Pear doesn't dot this? > > "Well-designed" and "secure" mean different things to different folks, but classes generic enough to be used as lego blocks have a hard time earning those descriptions. From tgales at tgaconnect.com Wed Dec 3 08:47:34 2003 From: tgales at tgaconnect.com (Tim Gales) Date: Wed, 3 Dec 2003 08:47:34 -0500 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <3FCDE64D.10606@chxo.com> Message-ID: <000001c3b9a4$01bec340$bf8d3818@oberon1> chris Snyder writes: > "Well-designed" and "secure" mean different things to > different folks, > but classes generic enough to be used as lego blocks have a hard time > earning those descriptions. > Guilty (again) of being sloppy and inexact. What I meant to say is doesn't the PFC at PEAR aim at this goal? And to what degree do people think the PEAR Foundation Classes have achieved that goal. T. Gales & Associates 'Helping People Connect with Technology' http://www.tgaconnect.com From sryBoston at hotmail.com Wed Dec 3 09:40:12 2003 From: sryBoston at hotmail.com (-sry) Date: Wed, 3 Dec 2003 09:40:12 -0500 Subject: [nycphp-talk] newbie - square one References: Message-ID: > See, I told you this was a better place to get questions answered than > the wwwac. > Hey! Now don't go comparing apples to oranges--wwwac is still better for plenty of things, if nothing else, the wwwacies themselves! :) We have lots of fun over there and occasionally get some work done, too! For the focused topic of PHP or PHP/mySQL, yes, this is HEAVEN :-) So glad I found you guys. Jeff, thanks for the list of books - I have no money for any books right now but the Great American Public Library system seems to keep themselves pretty well-stocked on computer-related things here in Cambridge. Big surprise, huh? <> I'll see what I can find. I think O'Reilly needs to have a "large consumer's club" or "Book of the Month" club where if you buy at least 8 books a year, you get one free or something :-D The only things besides clothes that I have paid to ship internationally (no less than 3 times) are my computer and engineering books--more than half of them ORA. I want something back, darnit. -sry From jsiegel1 at optonline.net Wed Dec 3 10:01:00 2003 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Wed, 03 Dec 2003 10:01:00 -0500 Subject: [nycphp-talk] newbie - square one In-Reply-To: References:

Message-ID: <3FCDFAAC.6070201@optonline.net> Hope the list works for you...when you have the money. :) Jeff -sry wrote: >>See, I told you this was a better place to get questions answered than >>the wwwac. >> > > > Hey! Now don't go comparing apples to oranges--wwwac is still > better for plenty of things, if nothing else, the wwwacies themselves! :) > We have lots of fun over there and occasionally get some work > done, too! For the focused topic of PHP or PHP/mySQL, yes, > this is HEAVEN :-) So glad I found you guys. > > Jeff, thanks for the list of books - I have no money for any books > right now but the Great American Public Library system seems to > keep themselves pretty well-stocked on computer-related things > here in Cambridge. Big surprise, huh? <> > > I'll see what I can find. I think O'Reilly needs to have a "large > consumer's club" or "Book of the Month" club where if you buy > at least 8 books a year, you get one free or something :-D The > only things besides clothes that I have paid to ship internationally > (no less than 3 times) are my computer and engineering > books--more than half of them ORA. I want something back, > darnit. > > -sry > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > From bpang at bpang.com Wed Dec 3 10:11:38 2003 From: bpang at bpang.com (Brian Pang) Date: Wed, 03 Dec 2003 10:11:38 -0500 Subject: books? we don't need no stinkin' books! - Was: Re: [nycphp-talk] newbie - square one Message-ID: apologies to the authors in the crowd :) > Hope the list works for you...when you have the money. :) > > I have no money for any books From jonbaer at jonbaer.net Wed Dec 3 10:23:04 2003 From: jonbaer at jonbaer.net (jon baer) Date: Wed, 3 Dec 2003 10:23:04 -0500 Subject: books? we don't need no stinkin' books! - Was: Re: [nycphp-talk]newbie - square one References: Message-ID: <007001c3b9b1$59123020$6400a8c0@thinkpad> > > > I have no money for any books http://www.jonbaer.net/books :-) Sorry for the spam ... happy holidays ... - jon From jeffknight at mac.com Wed Dec 3 10:36:22 2003 From: jeffknight at mac.com (PUTAMARE) Date: Wed, 3 Dec 2003 10:36:22 -0500 Subject: [nycphp-talk] newbie - square one In-Reply-To: References:

Message-ID: <72727138-25A6-11D8-879A-000393B9FB36@mac.com> On Dec 3, 2003, at 9:40 AM, -sry wrote: > I'll see what I can find. I think O'Reilly needs to have a "large > consumer's club" or "Book of the Month" club where if you buy > at least 8 books a year, you get one free or something have you looked into the Safari Bookshelf? 15/mo. isn't bad... http://safari.oreilly.com Jeff Knight jeff not junkmail at lushmedia.com 212/213-6558 x 203 LUSH media 110 W 40th St #1502 New York, NY 10018 From jlacey at att.net Wed Dec 3 12:05:17 2003 From: jlacey at att.net (John Lacey) Date: Wed, 03 Dec 2003 10:05:17 -0700 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <009a01c3b99e$75995420$bf8d3818@oberon1> References: <009a01c3b99e$75995420$bf8d3818@oberon1> Message-ID: <3FCE17CD.6050902@att.net> Tim Gales wrote: > ".. wouldn't it be > nice if well-designed secure components (pcom?) were > available that one could go to the 'lego box' and pull out > what you need to put it together..." > > Are you saying that Pear doesn't do this? nope, was more of a comment about the stuff out there of questionable quality from a security standpoint In fact, I use PEAR when I'm teaching noobie PHP fundamentals to give the people a standard for coding after we've thrown something together that "works" John From shawn at shawnlawyer.com Wed Dec 3 12:36:54 2003 From: shawn at shawnlawyer.com (Shawn Lawyer) Date: Wed, 3 Dec 2003 12:36:54 -0500 Subject: [nycphp-talk] newbie - square one References:

<72727138-25A6-11D8-879A-000393B9FB36@mac.com> Message-ID: <00c101c3b9c4$206def30$ae40c718@Della> moo, Web references are the best, but when trying to learn, sometimes it can be better to just have a book. Can't connect in the subway ya know, and that's my favorite place to read. I sometimes hop on the 1/9 and ride it till I get back to where I start. FREAK I have known the feeling of not having money for books, and it being the season for giving, I have a few books you might like and I don't need. If you don't mind traveling for them, they're yours. Shawn Lawyer btw is anyone else on twc/earthlink and having problems sending From dmintz at davidmintz.org Wed Dec 3 15:32:20 2003 From: dmintz at davidmintz.org (David Mintz) Date: Wed, 3 Dec 2003 15:32:20 -0500 (EST) Subject: [nycphp-talk] holy sh!t [gossip] In-Reply-To: Message-ID: I'm astounded to see this output: Parse error: parse error, expecting `','' or `';'' in /usr/local/www/pearweb/public_html/index.php on line 68 at this location: http://pear.php.net/ (I will try to email someone there. Maybe it will have been fixed up by the time you read this.) --- David Mintz http://davidmintz.org/ ATTN Everybody: dmintz at panix.com will be unplugged as of 01-Dec-2003! Please use dmintz at davidmintz.org "Anybody else got a problem with Webistics?" Sopranos 24:17 From tom at supertom.com Wed Dec 3 15:37:41 2003 From: tom at supertom.com (tom at supertom.com) Date: Wed, 03 Dec 2003 15:37:41 -0500 Subject: [nycphp-talk] holy sh!t [gossip] In-Reply-To: Message-ID: You are right - and that is crazy!!! Heads are gonna roll in PHP land! :-) BTW, I am quite jealous of the holiday party you NY-PHPer's are throwing - I wish I could make it. Don't know anywhere on Long Island where I can get a pig sandwich! Tom *************************************************** What's Tom listening to right now? Find out here: http://www.supertom.com/current_track.php -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]On Behalf Of David Mintz Sent: Wednesday, December 03, 2003 3:32 PM To: NYPHP Talk Subject: [nycphp-talk] holy sh!t [gossip] I'm astounded to see this output: Parse error: parse error, expecting `','' or `';'' in /usr/local/www/pearweb/public_html/index.php on line 68 at this location: http://pear.php.net/ (I will try to email someone there. Maybe it will have been fixed up by the time you read this.) --- David Mintz http://davidmintz.org/ ATTN Everybody: dmintz at panix.com will be unplugged as of 01-Dec-2003! Please use dmintz at davidmintz.org "Anybody else got a problem with Webistics?" Sopranos 24:17 _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk From tom at supertom.com Wed Dec 3 15:45:42 2003 From: tom at supertom.com (tom at supertom.com) Date: Wed, 03 Dec 2003 15:45:42 -0500 Subject: [nycphp-talk] PHP ASP comparison In-Reply-To: Message-ID: Hey folks, Ok, guys, I know I've seen this time in again across the web, but now I actually have a need (doing a presentation for a course I am taking, and I bet I can use this content for a future LIPHP meeting) for this type of info. Stats on speed, performance, easy of use, features, support etc. I will do my share of googling for this info, I promise, but I figured someone out there may have some good links right at there fingertips which is why I am asking first. And hey, I bet many of us on the list would enjoy a good discussion about this type of thing. Nowhere did I mention that my presentation had to be objective. Just kidding. :-) Any help is greatly appreciated! Tom Long Island PHP Users Group http://www.liphp.org *************************************************** What's Tom listening to right now? Find out here: http://www.supertom.com/current_track.php From shiflett at php.net Wed Dec 3 16:01:16 2003 From: shiflett at php.net (Chris Shiflett) Date: Wed, 3 Dec 2003 13:01:16 -0800 (PST) Subject: [nycphp-talk] PHP ASP comparison In-Reply-To: Message-ID: <20031203210116.33641.qmail@web14304.mail.yahoo.com> This is a decent link: http://php.weblogs.com/php_vs_asp I admit that I haven't actually read it (I never give ASP any thought), but I saw that there are some links to other comparisons at the bottom. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ From tom at supertom.com Wed Dec 3 16:06:54 2003 From: tom at supertom.com (tom at supertom.com) Date: Wed, 03 Dec 2003 16:06:54 -0500 Subject: [nycphp-talk] PHP ASP comparison In-Reply-To: <20031203210116.33641.qmail@web14304.mail.yahoo.com> Message-ID: See, I knew someone would have a great link - I hadn't even heard of that one before. Thanks, Chris! Tom *************************************************** What's Tom listening to right now? Find out here: http://www.supertom.com/current_track.php -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]On Behalf Of Chris Shiflett Sent: Wednesday, December 03, 2003 4:01 PM To: NYPHP Talk Subject: Re: [nycphp-talk] PHP ASP comparison This is a decent link: http://php.weblogs.com/php_vs_asp I admit that I haven't actually read it (I never give ASP any thought), but I saw that there are some links to other comparisons at the bottom. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk From nyphp at enobrev.com Wed Dec 3 16:23:21 2003 From: nyphp at enobrev.com (Mark Armendariz) Date: Wed, 3 Dec 2003 16:23:21 -0500 Subject: [nycphp-talk] PHP ASP comparison In-Reply-To: <20031203210116.33641.qmail@web14304.mail.yahoo.com> Message-ID: Here's on involving .net The article: http://www.sitepoint.com/article/870 And a rebuttal: http://www.edwardbear.org/serendipity/archives/1178_NET_vs_PHP_again_and_aga in.html Mark -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Chris Shiflett Sent: Wednesday, December 03, 2003 4:01 PM To: NYPHP Talk Subject: Re: [nycphp-talk] PHP ASP comparison This is a decent link: http://php.weblogs.com/php_vs_asp I admit that I haven't actually read it (I never give ASP any thought), but I saw that there are some links to other comparisons at the bottom. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk From dmintz at davidmintz.org Wed Dec 3 16:25:17 2003 From: dmintz at davidmintz.org (David Mintz) Date: Wed, 3 Dec 2003 16:25:17 -0500 (EST) Subject: [nycphp-talk] holy sh!t [gossip] In-Reply-To: Message-ID: Damn, they fixed it already. (-: On Wed, 3 Dec 2003, David Mintz wrote: > > I'm astounded to see this output: > > Parse error: parse error, expecting `','' or `';'' in > /usr/local/www/pearweb/public_html/index.php on line 68 > > at this location: http://pear.php.net/ > > (I will try to email someone there. Maybe it will have been fixed up by > the time you read this.) > > --- > David Mintz > http://davidmintz.org/ > ATTN Everybody: dmintz at panix.com will be unplugged as of 01-Dec-2003! > Please use dmintz at davidmintz.org > > > "Anybody else got a problem with Webistics?" > > Sopranos 24:17 > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > --- David Mintz http://davidmintz.org/ ATTN Everybody: dmintz at panix.com will be unplugged as of 01-Dec-2003! Please use dmintz at davidmintz.org "Anybody else got a problem with Webistics?" Sopranos 24:17 From jsiegel1 at optonline.net Wed Dec 3 16:34:40 2003 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Wed, 03 Dec 2003 16:34:40 -0500 Subject: [nycphp-talk] PHP ASP comparison In-Reply-To: References: Message-ID: <3FCE56F0.1020802@optonline.net> Just to round things out, there is the article that used to be on the Microsoft site that compared ASP.net to PHP. It's always good to know what the other side thinks. See: http://www.msdnaa.net/Resources/display.aspx?ResID=2315 This used to be on the MSDN site but seems to have been removed and placed on the site noted above. Jeff Siegel tom at supertom.com wrote: > See, I knew someone would have a great link - I hadn't even heard of that > one before. > > Thanks, Chris! > > Tom > > > > > > *************************************************** > What's Tom listening to right now? Find out here: > http://www.supertom.com/current_track.php > > > > > -----Original Message----- > From: talk-bounces at lists.nyphp.org > [mailto:talk-bounces at lists.nyphp.org]On Behalf Of Chris Shiflett > Sent: Wednesday, December 03, 2003 4:01 PM > To: NYPHP Talk > Subject: Re: [nycphp-talk] PHP ASP comparison > > > This is a decent link: > > http://php.weblogs.com/php_vs_asp > > I admit that I haven't actually read it (I never give ASP any thought), > but I saw that there are some links to other comparisons at the bottom. > > Hope that helps. > > Chris > > ===== > Chris Shiflett - http://shiflett.org/ > > PHP Security Handbook > Coming mid-2004 > HTTP Developer's Handbook > http://httphandbook.org/ > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > From dorgan at optonline.net Wed Dec 3 19:05:28 2003 From: dorgan at optonline.net (Donald J. Organ IV) Date: Wed, 03 Dec 2003 19:05:28 -0500 Subject: [nycphp-talk] Browser Based Code Editors References:

<72727138-25A6-11D8-879A-000393B9FB36@mac.com> <00c101c3b9c4$206def30$ae40c718@Della> Message-ID: <000d01c3b9fa$53a460b0$c801a8c0@dj> Does anyone know of any browser based code editors for ColdFusion something that woudl except the tab key? From suzerain at suzerain.com Wed Dec 3 20:48:31 2003 From: suzerain at suzerain.com (Marc Antony Vose) Date: Wed, 3 Dec 2003 20:48:31 -0500 Subject: [nycphp-talk] multilingual strategies In-Reply-To: <09B074D7-063E-11D8-8A2B-0003930D07F2@email.smith.edu> References: <09B074D7-063E-11D8-8A2B-0003930D07F2@email.smith.edu> Message-ID: Hi there. I develop sites with my own custom publishing engine that I've been adding to since about 1998...all in PHP. My goals are to keep it as modular as possible, so I can easily plug in different bits of functionality, and provide my clients with the greatest amount of flexibility in terms of what it can be used for. So, with that mindset, I'm interested in how people here have approached multilingual sites in a PHP/MySQL environment? In particular, I have an upcoming cultural project that will be translated into an unknown number of languages, and only in bits and pieces. So, at any given point in the content hierarchy, the system will need to look for a preferred language, and if it isn't found, go to the next on the list, and so on. (This is similar to the way Mac OS X works if any of you have used it.) The content will vary in terms of scope, length and type; right now, I tend to utilize MySQL for text data storage about 80% of the time, and the other 20% of the time I store textual content in text files, as serialized PHP objects. I always store graphics in the filesystem. So, I have my own ideas on how I am going to approach this, but here are my questions. How do you handle multilingual sites? Do you tend to store data in text files, in a database, or some other way? Do you maintain different entire databases for each language, or different tables in the same database, or just different columns in the same table(s)? Looking for abstract answers here about strategy. Thanks much, -- Marc Antony Vose http://www.suzerain.com/ Never underestimate the power of human stupidity. -- Lazarus Long From csnyder at chxo.com Wed Dec 3 21:04:57 2003 From: csnyder at chxo.com (Chris Snyder) Date: Wed, 03 Dec 2003 21:04:57 -0500 Subject: [nycphp-talk] multilingual strategies In-Reply-To: References: <09B074D7-063E-11D8-8A2B-0003930D07F2@email.smith.edu> Message-ID: <3FCE9649.6030003@chxo.com> Marc Antony Vose wrote: > How do you handle multilingual sites? Do you tend to store data in > text files, in a database, or some other way? Do you maintain > different entire databases for each language, or different tables in > the same database, or just different columns in the same table(s)? > I'm currently a fan of creating records in a separate table, one for each translation of a document. The translations table is keyed on the document id and language code so there can't be multiple same-language translations of something. On lookup, if the user's language is different from the document's language, some logic handles the lookup and, if a record is found, the original content is replaced with the translated content. One suggestion: consider using valid locales as your language codes so that you can use them with strftime() to format dates. Just using "en" or "es" might not be enough depending on your OS. csnyder From shawn at shawnlawyer.com Wed Dec 3 18:05:48 2003 From: shawn at shawnlawyer.com (Shawn Lawyer) Date: Wed, 3 Dec 2003 18:05:48 -0500 Subject: [nycphp-talk] dinner help References: Message-ID: <000601c3ba0e$68c2a100$ae40c718@Della> moo, i lost the email to rsvp to the dinner. life is crazy, i've been in a mad rush trying to get all my stuff ready for columbia u next semester. heh a programmer going to a med school. i need the info, i remember something about hard rock cafe and 20 bucks but don't know time or where nyc hard rock cafe is?? thanks shawn From adam at trachtenberg.com Wed Dec 3 21:35:21 2003 From: adam at trachtenberg.com (Adam Maccabee Trachtenberg) Date: Wed, 3 Dec 2003 21:35:21 -0500 (EST) Subject: [nycphp-talk] multilingual strategies In-Reply-To: <3FCE9649.6030003@chxo.com> References: <09B074D7-063E-11D8-8A2B-0003930D07F2@email.smith.edu> <3FCE9649.6030003@chxo.com> Message-ID: On Wed, 3 Dec 2003, Chris Snyder wrote: > Marc Antony Vose wrote: > > > How do you handle multilingual sites? Do you tend to store data in > > text files, in a database, or some other way? Do you maintain > > different entire databases for each language, or different tables in > > the same database, or just different columns in the same table(s)? Some of the techniques I used to use are documented here: http://www.onlamp.com/pub/a/php/2002/11/28/php_i18n.html I don't think this meshes well with your setup, but I pass it along anyway. > One suggestion: consider using valid locales as your language codes so > that you can use them with strftime() to format dates. Just using "en" > or "es" might not be enough depending on your OS. You should definitely use locales. People are really picky about this. I would also suggest that you look into the GNU gettext library. You can build it as a PHP extension and I would guess that gettext is very efficient, if this is major concern to you. It also allows you to handle all sorts of pluralization and other oddities without needing to write your own. -adam PS: Oblig. PHP Cookbook Reference: Chapter 16. -- adam at trachtenberg.com author of o'reilly's php cookbook avoid the holiday rush, buy your copy today! From lists at ny-tech.net Wed Dec 3 21:47:14 2003 From: lists at ny-tech.net (Nasir Zubair) Date: Wed, 3 Dec 2003 21:47:14 -0500 Subject: [nycphp-talk] dinner help In-Reply-To: <000601c3ba0e$68c2a100$ae40c718@Della> Message-ID: <000701c3ba10$eee84b70$6401a8c0@main> http://nyphp.org/ :-) - Nasir > -----Original Message----- > From: Shawn Lawyer [mailto:shawn at shawnlawyer.com] > Sent: Wednesday, December 03, 2003 6:06 PM > To: NYPHP Talk > Subject: Re: [nycphp-talk] dinner help > > > moo, > > i lost the email to rsvp to the dinner. life is crazy, i've > been in a mad rush trying to get all my stuff ready for > columbia u next semester. heh a programmer going to a med > school. i need the info, i remember something about hard rock > cafe and 20 bucks but don't know time or where nyc hard rock cafe is?? > > thanks > shawn > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk > > From jlacey at att.net Wed Dec 3 21:56:50 2003 From: jlacey at att.net (John Lacey) Date: Wed, 03 Dec 2003 19:56:50 -0700 Subject: [nycphp-talk] dinner help In-Reply-To: <000701c3ba10$eee84b70$6401a8c0@main> References: <000701c3ba10$eee84b70$6401a8c0@main> Message-ID: <3FCEA272.900@att.net> Nasir Zubair wrote: > http://nyphp.org/ > > :-) > > - Nasir > >> >>moo, >> >>i lost the email to rsvp to the dinner. life is crazy, i've >>been in a mad rush trying to get all my stuff ready for >>columbia u next semester. heh a programmer going to a med >>school. i need the info, i remember something about hard rock >>cafe and 20 bucks but don't know time or where nyc hard rock cafe is?? >> >>thanks >>shawn man, if I wuz comin' to new yawk city, I'd make a beeline to the best Jewish Deli for a Corn Beef, Cole Slaw and Russian Dressing on Rye... with a pickle on the side of course damn, being from Phila and having worked in the City from time to time, I sure miss East Coast food.. ya just can't get a good sammich out here in Colorado :( John From southwell at dneba.com Wed Dec 3 23:17:46 2003 From: southwell at dneba.com (Michael Southwell) Date: Wed, 03 Dec 2003 23:17:46 -0500 Subject: [nycphp-talk] dinner help In-Reply-To: <3FCEA272.900@att.net> References: <000701c3ba10$eee84b70$6401a8c0@main> <3FCEA272.900@att.net> Message-ID: <6.0.1.1.2.20031203231656.01b38710@mail.optonline.net> At 09:56 PM 12/3/2003, you wrote: >damn, being from Phila and having worked in the City from time to time, I >sure miss East Coast food.. ya just can't get a good sammich out here in >Colorado :( ah, but your skiing is better! Michael G. Southwell ================================= DNEBA Enterprises 81 South Road Bloomingdale, NJ 07403-1419 973/492-7873 (voice and fax) southwell at dneba.com http://www.dneba.com ====================================================== From xml at aumcomputers.com Thu Dec 4 06:25:04 2003 From: xml at aumcomputers.com (Anirudh Zala) Date: Thu, 4 Dec 2003 16:55:04 +0530 Subject: [nycphp-talk] multilingual strategies References: <09B074D7-063E-11D8-8A2B-0003930D07F2@email.smith.edu> Message-ID: <01bd01c3ba59$6f89e6b0$0164a8c0@com1> Hi, We have been providing multilingual support for websites since 4 years. To store language variables we use File system instead of DB, as DB access for each and every page is not recommended from performance point of view in general sense. Just think how many DB interactions you will need for each and every request if you store language variables in DB. We don't do embedded programming, rather we keep pur PHP code and GUI part separately, hence we store all language variables in 1 php file depnding upon how much language support u require. While displaying those language specific items, we store language variable in session variable or in cookie at client side and use it across our all php files. Whenever new language is selected (by flag or caption name) 1,2 or 3 or 4 will be stored in session which will determine which language file is to be included. My structure is like below. ....Config variables or Config files ....Language files say 1.inc or 2.inc (1 and 2 are stored in session) ....Other files or Main code ....Parse your language variables here ....Print out put to browser For exmaple your 1.inc file (which is in english) contains variables like below $cap[hello]="Hello"; $msg[hello]="Welcome to Foo site"; And 2.inc (which is in spanish langauge) contains variables like below $cap[hello]="Hola"; $msg[hello]="Welcome ... .. site"; And similarly 3.inc, 4.inc etc.. While GUI part your html files contains variables like this {WELCOME} {WELCOME_MSG} Finally 1 of your common parsing file, like ** rFastTemplate.php** in our case using "assign" method, will parse php realted variables into html template and will send output to browser. code can be like below: [.....code.....includable files..code...] $tp->assign(array(WELCOME=>$cap[hello],WELCOME_MSG=>$msg[hello])); [...print output...] By this way effieceint multilingual implementation can be achieved without any extra efforts. Maximum benefit is that we don't require DB connections here, as this system is absolutely dependent upon File system. Thanks Anirudh Zala ------------------------------------------------------------------------- Anirudh Zala (Project Manager), Tel: +91 281 2451894 AUM Computers, 317 Star Plaza, anirudh at aumcomputers.com Rajkot-360001, Gujarat, INDIA http://www.aspl.info ------------------------------------------------------------------------- ----- Original Message ----- From: "Marc Antony Vose" To: "NYPHP Talk" Sent: Thursday, 04 December, 2003 7:18 AM Subject: [nycphp-talk] multilingual strategies > Hi there. > > I develop sites with my own custom publishing engine that I've been > adding to since about 1998...all in PHP. My goals are to keep it as > modular as possible, so I can easily plug in different bits of > functionality, and provide my clients with the greatest amount of > flexibility in terms of what it can be used for. > > So, with that mindset, I'm interested in how people here have > approached multilingual sites in a PHP/MySQL environment? In > particular, I have an upcoming cultural project that will be > translated into an unknown number of languages, and only in bits and > pieces. So, at any given point in the content hierarchy, the system > will need to look for a preferred language, and if it isn't found, go > to the next on the list, and so on. > > (This is similar to the way Mac OS X works if any of you have used it.) > > The content will vary in terms of scope, length and type; right now, > I tend to utilize MySQL for text data storage about 80% of the time, > and the other 20% of the time I store textual content in text files, > as serialized PHP objects. I always store graphics in the filesystem. > > So, I have my own ideas on how I am going to approach this, but here > are my questions. > > How do you handle multilingual sites? Do you tend to store data in > text files, in a database, or some other way? Do you maintain > different entire databases for each language, or different tables in > the same database, or just different columns in the same table(s)? > > Looking for abstract answers here about strategy. > > Thanks much, > > -- > Marc Antony Vose > http://www.suzerain.com/ > > Never underestimate the power of human stupidity. > -- Lazarus Long > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > From jlacey at att.net Thu Dec 4 08:07:28 2003 From: jlacey at att.net (John Lacey) Date: Thu, 04 Dec 2003 06:07:28 -0700 Subject: [nycphp-talk] dinner help In-Reply-To: <6.0.1.1.2.20031203231656.01b38710@mail.optonline.net> References: <000701c3ba10$eee84b70$6401a8c0@main> <3FCEA272.900@att.net> <6.0.1.1.2.20031203231656.01b38710@mail.optonline.net> Message-ID: <3FCF3190.7060209@att.net> Michael Southwell wrote: > At 09:56 PM 12/3/2003, you wrote: > >> damn, being from Phila and having worked in the City from time to >> time, I sure miss East Coast food.. ya just can't get a good sammich >> out here in Colorado :( > > > ah, but your skiing is better! > > true dat Michael... Steamboat Spring's champagne powder is a pleasure to do a face plant in :)) btw, I worked for Steamboat's Ski and Resort Corp for a year and 2 summers on their central reservations system -- AT&T Unix with an Informix back end... tough job but someone had to do it :) >From hans not junk at nyphp.com Thu Dec 4 10:32:16 2003 Return-Path: Received: from londo.swishmail.com (londo.swishmail.com [209.10.110.95]) by virtu.nyphp.org (Postfix) with ESMTP id 0A735A85F0 for ; Thu, 4 Dec 2003 10:32:16 -0500 (EST) Received: (qmail 44558 invoked by uid 89); 4 Dec 2003 15:32:15 -0000 Received: from unknown (HELO nyphp.com) (hans not junk at nyphp.com@128.122.155.151) by londo.swishmail.com with AES256-SHA encrypted SMTP; 4 Dec 2003 15:32:15 -0000 Message-ID: <3FCF53C3.8010308 at nyphp.com> Date: Thu, 04 Dec 2003 10:33:23 -0500 From: Hans Zaunere User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: NYPHP Talk Subject: Re: [nycphp-talk] dinner help References: <000701c3ba10$eee84b70$6401a8c0 at main> <3FCEA272.900 at att.net> <6.0.1.1.2.20031203231656.01b38710 at mail.optonline.net> <3FCF3190.7060209 at att.net> In-Reply-To: <3FCF3190.7060209 at att.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: talk at lists.nyphp.org X-Mailman-Version: 2.1.2 Precedence: list Reply-To: NYPHP Talk List-Id: NYPHP Talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2003 15:32:16 -0000 John Lacey wrote: > > > Michael Southwell wrote: > >> At 09:56 PM 12/3/2003, you wrote: >> >>> damn, being from Phila and having worked in the City from time to >>> time, I sure miss East Coast food.. ya just can't get a good sammich >>> out here in Colorado :( >> >> >> >> ah, but your skiing is better! >> >> > > true dat Michael... Steamboat Spring's champagne powder is a pleasure to > do a face plant in :)) > > btw, I worked for Steamboat's Ski and Resort Corp for a year and 2 > summers on their central reservations system -- AT&T Unix with an > Informix back end... tough job but someone had to do it :) There's already a PHP Cruise. I think a PHP Ski Trip with tutorials, sessions, powder and hot chocolate would be great :) H >From hans not junk at nyphp.com Thu Dec 4 10:39:29 2003 Return-Path: Received: from londo.swishmail.com (londo.swishmail.com [209.10.110.95]) by virtu.nyphp.org (Postfix) with ESMTP id 7794DA85F0 for ; Thu, 4 Dec 2003 10:39:29 -0500 (EST) Received: (qmail 46777 invoked by uid 89); 4 Dec 2003 15:39:29 -0000 Received: from unknown (HELO nyphp.com) (hans not junk at nyphp.com@128.122.155.151) by londo.swishmail.com with AES256-SHA encrypted SMTP; 4 Dec 2003 15:39:29 -0000 Message-ID: <3FCF5575.2080904 at nyphp.com> Date: Thu, 04 Dec 2003 10:40:37 -0500 From: Hans Zaunere User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: NYPHP Talk Subject: Re: [nycphp-talk] newbie - square one References:

In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: talk at lists.nyphp.org X-Mailman-Version: 2.1.2 Precedence: list Reply-To: NYPHP Talk List-Id: NYPHP Talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2003 15:39:29 -0000 -sry wrote: >>See, I told you this was a better place to get questions answered than >>the wwwac. >> > > Hey! Now don't go comparing apples to oranges--wwwac is still > better for plenty of things, if nothing else, the wwwacies themselves! :) > We have lots of fun over there and occasionally get some work > done, too! For the focused topic of PHP or PHP/mySQL, yes, > this is HEAVEN :-) So glad I found you guys. You should also check out the NYFE (New York Front End) list, also at http://nyphp.org/lists It focuses on client-side coding and interaction between PHP and client side languages - crazy guys, but they're great :) > Jeff, thanks for the list of books - I have no money for any books > right now but the Great American Public Library system seems to > keep themselves pretty well-stocked on computer-related things > here in Cambridge. Big surprise, huh? <> > > I'll see what I can find. I think O'Reilly needs to have a "large > consumer's club" or "Book of the Month" club where if you buy > at least 8 books a year, you get one free or something :-D The > only things besides clothes that I have paid to ship internationally > (no less than 3 times) are my computer and engineering > books--more than half of them ORA. I want something back, > darnit. NYPHP's book review program might help. We've got a couple great books left and request more from the publishers. The books are free, but we ask that you write a short review of the book. See http://nyphp.org/library for more. Hans >From hans not junk at nyphp.com Thu Dec 4 10:47:43 2003 Return-Path: Received: from londo.swishmail.com (londo.swishmail.com [209.10.110.95]) by virtu.nyphp.org (Postfix) with ESMTP id D31D3A85FD for ; Thu, 4 Dec 2003 10:47:42 -0500 (EST) Received: (qmail 49263 invoked by uid 89); 4 Dec 2003 15:47:42 -0000 Received: from unknown (HELO nyphp.com) (hans not junk at nyphp.com@128.122.155.151) by londo.swishmail.com with AES256-SHA encrypted SMTP; 4 Dec 2003 15:47:42 -0000 Message-ID: <3FCF5762.9040403 at nyphp.com> Date: Thu, 04 Dec 2003 10:48:50 -0500 From: Hans Zaunere User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: NYPHP Talk Subject: Re: [nycphp-talk] security? we don't need no stinkin security! References: <009a01c3b99e$75995420$bf8d3818 at oberon1> <3FCE17CD.6050902 at att.net> In-Reply-To: <3FCE17CD.6050902 at att.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: talk at lists.nyphp.org X-Mailman-Version: 2.1.2 Precedence: list Reply-To: NYPHP Talk List-Id: NYPHP Talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2003 15:47:43 -0000 John Lacey wrote: > > Tim Gales wrote: > >> ".. wouldn't it be nice if well-designed secure components (pcom?) >> were available that one could go to the 'lego box' and pull out what >> you need to put it together..." >> >> Are you saying that Pear doesn't do this? I would say PEAR doesn't do this for a number of reasons. For one, PEAR is not modular (component) based. It's a framework with a great deal of interdependancy that provides a large and varied set of functionality. PEAR doesn't provide isolated functionality - it's all PEAR or nothing. More of an erector set than legos? :) PCOMs, or any component based system, are isolated from each other. There are no dependancies between components, and each provides a very specific set of functionality - yet, the functionality is generic (could be used and reused in any environment). Personally, and not to come down on PEAR or CPAN too much, but a large, complex and interconnected framework is more prone to security issues, not to mention performance and maintainability. A component model allows specific functionality to be extremely well tested, maintained and deployed. My 2 cents, H From tgales at tgaconnect.com Thu Dec 4 11:49:57 2003 From: tgales at tgaconnect.com (Tim Gales) Date: Thu, 4 Dec 2003 11:49:57 -0500 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <3FCF5762.9040403@nyphp.com> Message-ID: <000801c3ba86$a6e3d940$bf8d3818@oberon1> H writes: "...PEAR doesn't do this for a number of reasons..." Is it fair to characterize your response as: 1) Not modular (too interconnected) 2) Complex (large) making it: 2a) hard to maintain 2b) slow 2c) prone to security flaws T. Gales & Associates 'Helping People Connect with Technology' http://www.tgaconnect.com > From shiflett at php.net Thu Dec 4 12:11:17 2003 From: shiflett at php.net (Chris Shiflett) Date: Thu, 4 Dec 2003 09:11:17 -0800 (PST) Subject: [nycphp-talk] Syndication Message-ID: <20031204171117.55055.qmail@web14309.mail.yahoo.com> We're getting some attention: http://www.phpmag.net/itr/news/psecom,id,12865,nodeid,113.html Maybe sites will soon be syndicating our phundamentals as well. Do we have an XML feed for those, or would it be worth even considering such a thing? Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ From bpang at bpang.com Thu Dec 4 12:18:33 2003 From: bpang at bpang.com (Brian Pang) Date: Thu, 04 Dec 2003 12:18:33 -0500 Subject: [nycphp-talk] Syndication Message-ID: I guess we better start watching what we say if the world will be watching... :) > We're getting some attention: > > http://www.phpmag.net/itr/news/psecom,id,12865,nodeid,113.html >From hans not junk at nyphp.com Thu Dec 4 13:18:35 2003 Return-Path: Received: from londo.swishmail.com (londo.swishmail.com [209.10.110.95]) by virtu.nyphp.org (Postfix) with ESMTP id 9F896A85F0 for ; Thu, 4 Dec 2003 13:18:35 -0500 (EST) Received: (qmail 6500 invoked by uid 89); 4 Dec 2003 18:18:35 -0000 Received: from unknown (HELO nyphp.com) (hans not junk at nyphp.com@128.122.155.151) by londo.swishmail.com with AES256-SHA encrypted SMTP; 4 Dec 2003 18:18:35 -0000 Message-ID: <3FCF7ABF.3070906 at nyphp.com> Date: Thu, 04 Dec 2003 13:19:43 -0500 From: Hans Zaunere User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: NYPHP Talk Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: [nycphp-talk] [Fwd: MySQL 4.1.1 has been released] X-BeenThere: talk at lists.nyphp.org X-Mailman-Version: 2.1.2 Precedence: list Reply-To: NYPHP Talk List-Id: NYPHP Talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2003 18:18:36 -0000 FYI -------- Original Message -------- Subject: MySQL 4.1.1 has been released Date: Thu, 4 Dec 2003 16:23:56 +0100 (CET) From: Lenz Grimmer To: announce at lists.mysql.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, MySQL 4.1.1, a new version of the popular Open Source/Free Software database management system, has been released. It is now available in source and binary form for a number of platforms from our download pages at http://www.mysql.com/downloads/ and mirror sites. Note that not all mirror sites may be up to date at this point in time - if you can't find this version on some mirror, please try again later or choose another download site. This is the second Alpha development release of the 4.1 tree, adding many new features (see below) and fixing recently discovered bugs. Please refer to our bug database at http://bugs.mysql.com/ for more details about the individual bugs fixed in this version. As this code is currently labeled "Alpha", we do not recommend that this version be used in production environments yet! However, we encourage you to test and evaluate it and, more importantly, report any bugs or observations to our bug tracking database at http://bugs.mysql.com/. Please note, that for us to resolve a bug report, a reproducible test is required. See "How to report a bug" at http://bugs.mysql.com/how-to-report.php for more details before filing a bug report. We appreciate your support! For a more detailed list of features in MySQL 4.1, please see http://www.mysql.com/doc/en/MySQL_4.1_Nutshell.html News from the ChangeLog: Functionality added or changed: * Added `IGNORE' option for `DELETE' statement. * The MySQL source distribution now also includes the MySQL Internals Manual `internals.texi'. * Added `mysql_set_server_option()' C API client function to allow multiple statement handling in the server to be enabled or disabled. * The `mysql_next_result()' C API function now returns `-1' if there are no more result sets. * Renamed `CLIENT_MULTI_QUERIES' connect option flag to `CLIENT_MULTI_STATEMENTS'. To allow for a transition period, the old option will continue to be recognized for a while. * Require `DEFAULT' before table and database default character set. This enables us to use `ALTER TABLE table_name ... CHARACTER SET=...' to change the character set for all `CHAR', `VARCHAR', and `TEXT' columns in a table. * Added `MATCH ... AGAINST( ... WITH QUERY EXPANSION)' and the `ft_query_expansion_limit' server variable. * Removed unused `ft_max_word_len_for_sort' server variable. * Full-text search now supports multi-byte character sets and the Unicode `utf8' character set. (The Unicode `ucs2' character set is not yet supported.) * Phrase search in `MATCH ... AGAINST ( ... IN BOOLEAN MODE)' no longer matches partial words. * Added aggregate function `BIT_XOR()' for bitwise XOR operations. * Replication over SSL now works. * The `START SLAVE' statement now supports an `UNTIL' clause for specifying that the slave SQL thread should be started but run only until it reaches a given position in the master's binary logs or in the slave's relay logs. * Produce warnings even for single-row `INSERT' statements, not just for multiple-row `INSERT' statements. Previously, it was necessary to set `SQL_WARNINGS=1' to generate warnings for single-row statements. * Added `delimiter' (`\d') command to the `mysql' command-line client for changing the statement delimiter (terminator). The default delimiter is semicolon. * `CHAR', `VARCHAR', and `TEXT' columns now have lengths measured in characters rather than in bytes. The character size depends on the column's character set. This means, for example, that a `CHAR(n)' column for a multi-byte character set will take more storage than before. Similarly, index values on such columns are measured in characters, not bytes. * The `DATABASE()' function now returns `NULL' rather than the empty string if there is no database selected. * Added `--sql-mode=NO_AUTO_VALUE_ON_ZERO' option to suppress the usual behaviour of generating the next sequence number when zero is stored in an `AUTO_INCREMENT' column. With this mode enabled, zero is stored as zero; only storing `NULL' generates a sequence number. * *Warning: Incompatible change!* Client authentication now is based on 41-byte passwords in the `user' table, not 45-byte passwords as in 4.1.0. Any 45-byte passwords created for 4.1.0 must be reset after running the `mysql_fix_privilege_tables' script. * *Warning: Incompatible change!* Renamed the C API `mysql_prepare_result()' function to `mysql_get_metadata()' as the old name was confusing. * Added `DROP USER 'username'@'hostname'' statement to drop an account that has no privileges. * The interface to aggregated UDF functions has changed a bit. You must now declare a `xxx_clear()' function for each aggregate function `XXX()'. * The `CONCAT_WS()' function no longer skips empty strings. * Added new `ADDTIME()', `DATE()', `DATEDIFF()', `LAST_DAY()', `MAKEDATE()', `MAKETIME()', `MICROSECOND()', `SUBTIME()', `TIME()', `TIMEDIFF()', `TIMESTAMP()', `UTC_DATE()', `UTC_TIME()', `UTC_TIMESTAMP()', and `WEEKOFYEAR()' functions. * Added new syntax for `ADDDATE()' and `SUBDATE()'. The second argument now may be a number representing the number of days to be added to or subtracted from the first date argument. * Added new `type' values `DAY_MICROSECOND', `HOUR_MICROSECOND', `MINUTE_MICROSECOND', `SECOND_MICROSECOND', and `MICROSECOND' for `DATE_ADD()', `DATE_SUB()', and `EXTRACT()'. * Added new `%f' microseconds format specifier for `DATE_FORMAT()' and `TIME_FORMAT()'. * All queries in which at least one `SELECT' does not use indexes properly now are written to the slow query log when long log format is used. * It is now possible to create a `MERGE' table from `MyISAM' tables in different databases. Formerly, all the `MyISAM' tables had to be in the same database, and the `MERGE' table had to be created in that database as well. * Added new `COMPRESS()', `UNCOMPRESS()', and `UNCOMPRESSED_LENGTH()' functions. * When doing `SET sql_mode='mode'' for a complex mode (like `ANSI'), we now update the `sql_mode' variable to include all the individual options implied by the complex mode. * Added the OLAP (On-Line Analytical Processing) function `ROLLUP', which provides summary rows for each `GROUP BY' level. * Added `SQLSTATE' codes for all server errors. * Added `mysql_sqlstate()' and `mysql_stmt_sqlstate()' C API client functions that return the `SQLSTATE' error code for the last error. * `TIME' columns with hour values greater than 24 were returned incorrectly to the client. * `ANALYZE', `OPTIMIZE', `REPAIR', and `FLUSH' statements are now stored in the binary log and thus replicated to slaves. This logging does not occur if the optional `NO_WRITE_TO_BINLOG' keyword (or its alias `LOCAL') is given. Exceptions are that `FLUSH LOGS', `FLUSH MASTER', `FLUSH SLAVE', and `FLUSH TABLES WITH READ LOCK' are not logged in any case. For a syntax example, see *Note `FLUSH': FLUSH. * New global variable `RELAY_LOG_PURGE' to enable or disable automatic relay log purging. * `LOAD DATA' now produces warnings that can be fetched with `SHOW WARNINGS'. * Added support for syntax `CREATE TABLE table2 (LIKE table1)' that creates an empty table `table2' with a definition that is exactly the same as `table1', including any indexes. * `CREATE TABLE table_name (...) TYPE=storage_engine' now generates a warning if the named storage engine is not available. The table is still created as a `MyISAM' table, as before. * Most subqueries are now much faster than before. * Added `PURGE BINARY LOGS' as an alias for `PURGE MASTER LOGS'. * Disabled the `PURGE LOGS' statement that was added in in version 4.1.0. The statement now should be issued as `PURGE MASTER LOGS' or `PURGE BINARY LOGS'. * Added `SHOW BDB LOGS' as an alias for `SHOW LOGS'. * Added `SHOW MASTER LOGS' (which had been deleted in version 4.1.0) as an alias for `SHOW BINARY LOGS'. * Added `Slave_IO_State' and `Seconds_Behind_Master' columns to the output of `SHOW SLAVE STATUS'. `Slave_IO_State' indicates the state of the slave I/O thread, and `Seconds_Behind_Master' indicates the number of seconds by which the slave is late compared to the master. * `--lower-case-table-names=1' now also makes aliases case insensitive. (Bug #534) Bugs fixed: * Fixed a bug in privilege handling that caused connections from certain IP addresses to be assigned incorrect database-level privileges. A connection could be assigned the database privileges of the previous successful authentication from one of those IP addresses, even if the IP address username and database name were different. (Bug #1636) * Error-handling functions were not called properly when an error resulted from `[CREATE | REPLACE| INSERT] ... SELECT' statements. * `HASH', `BTREE', `RTREE', `ERRORS', and `WARNINGS' no longer are reserved words. (Bug #724) * Fix for bug in `ROLLUP' when all tables were `const' tables. (Bug #714) * Fixed a bug in `UNION' that prohibited `NULL' values from being inserted into result set columns where the first `SELECT' of the `UNION' retrieved `NOT NULL' columns. * Fixed name resolution of columns of reduced subqueries in unions. (Bug #745) * Fixed memory overrun in subqueries in select list with `WHERE' clause bigger than outer query `WHERE' clause. (Bug #726) * Fixed a bug that caused `MyISAM' tables with `FULLTEXT' indexes created in 4.0.x to be unreadable in 4.1.x. * Fixed a data loss bug in `REPAIR TABLE ... USE_FRM' when used with tables that contained `TIMESTAMP' columns and were created in 4.0.x. * Fixed reduced subquery processing in `ORDER BY'/`GROUP BY' clauses. (Bug #442) * Fixed name resolution of outer columns of subquery in `INSERT'/`REPLACE' statements. (Bug #446) * Fixed bug in marking columns of reduced subqueries. (Bug #679) * Fixed a bug that made `CREATE FULLTEXT INDEX' syntax illegal. * Fixed a crash when a `SELECT' that required a temporary table (marked by `Using temporary' in `EXPLAIN' output) was used as a derived table in `EXPLAIN' command. (Bug #251) * Fixed a rare table corruption bug in `DELETE' from a big table with a *new* (created by MySQL-4.1) full-text index. * `LAST_INSERT_ID()' now returns 0 if the last `INSERT' statement didn't insert any rows. * Fixed missing last character in function output. (Bug #447) * Fixed a rare replication bug when a transaction spanned two or more relay logs, and the slave was stopped while executing the part of the transaction that was in the second or later relay log. Then replication would resume at the beginning of the second or later relay log, which was incorrect. (It should resume at `BEGIN', in the first relay log.) (Bug #53) * `CONNECTION_ID()' now is properly replicated. (Bug #177) * The new `PASSWORD()' function in 4.1 is now properly replicated. (Bug #344) * Fixed bug with doubly freed memory. * Fixed crashing bug in `UNION' operations that involved temporary tables. * Fixed a crashing bug in `DERIVED TABLES' when `EXPLAIN' is used on a `DERIVED TABLES' with a join. * Fixed a crashing bug in `DELETE' with `ORDER BY' and `LIMIT' caused by an uninitialized array of reference pointers. * Fixed a bug in the `USER()' function caused by an error in the size of the allocated string. * Fixed a crashing bug when attempting to create a table containing a spatial (GIS) column with a storage engine that does not support spatial types. * Fixed a crashing bug in `UNION' caused by the empty select list and a non-existent column being used in some of the individual `SELECT' statements. * Fixed a replication bug with a 3.23 master and a 4.0 slave: The slave lost the replicated temporary tables if `FLUSH LOGS' was issued on the master. (Bug #254) * Fixed a security bug: A server compiled without SSL support still allowed connections by users that had the `REQUIRE SSL' option specified for their accounts. * When an undefined user variable was used in a updating query on the master (such as `INSERT INTO t VALUES(@a)', where `@a' had never been set by this connection before), the slave could replicate the query incorrectly if a previous transaction on the master used a user variable of the same name. (Bug #1331) * Fixed bug with prepared statements: Using the `?' prepared statement parameter as the argument to certain functions or statement clauses caused a server crash when `mysql_prepare()' was invoked. (Bug #1500) Additional notes: * Due to a bug in the getpeername() system call on 64bit HP-UX, we currently do not provide 64bit binaries for HP-UX (IA64 and PA-RISC). We are working closely with HP on investigating this issue. Bye, LenZ - -- Lenz Grimmer Senior Production Engineer MySQL GmbH, http://www.mysql.de/ Hamburg, Germany For technical support contracts, visit https://order.mysql.com/?ref=mlgr -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE/z1GMSVDhKrJykfIRAqj6AJ0XZRNpyLxDYXySbCBXjl7xsjsKtQCffq/r HCLqP/o23PAcxvpH5Htq+Ho= =glpu -----END PGP SIGNATURE----- -- MySQL Announce Mailing List For list archives: http://lists.mysql.com/announce To unsubscribe: http://lists.mysql.com/announce?unsub=hans at nyphp.org >From hans not junk at nyphp.com Thu Dec 4 13:20:11 2003 Return-Path: Received: from londo.swishmail.com (londo.swishmail.com [209.10.110.95]) by virtu.nyphp.org (Postfix) with ESMTP id 6DF7AA85F0 for ; Thu, 4 Dec 2003 13:20:11 -0500 (EST) Received: (qmail 7204 invoked by uid 89); 4 Dec 2003 18:20:11 -0000 Received: from unknown (HELO nyphp.com) (hans not junk at nyphp.com@128.122.155.151) by londo.swishmail.com with AES256-SHA encrypted SMTP; 4 Dec 2003 18:20:11 -0000 Message-ID: <3FCF7B1F.1020308 at nyphp.com> Date: Thu, 04 Dec 2003 13:21:19 -0500 From: Hans Zaunere User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: NYPHP Talk Subject: Re: [nycphp-talk] Syndication References: <20031204171117.55055.qmail at web14309.mail.yahoo.com> In-Reply-To: <20031204171117.55055.qmail at web14309.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: talk at lists.nyphp.org X-Mailman-Version: 2.1.2 Precedence: list Reply-To: NYPHP Talk List-Id: NYPHP Talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2003 18:20:11 -0000 Chris Shiflett wrote: > We're getting some attention: > > http://www.phpmag.net/itr/news/psecom,id,12865,nodeid,113.html > > Maybe sites will soon be syndicating our phundamentals as well. Do we have > an XML feed for those, or would it be worth even considering such a thing? We don't - and it would :) We already have an aggreation page at http://nyphp.org/content/rss/ but nothing to feed our content out. H >From hans not junk at nyphp.com Thu Dec 4 13:21:44 2003 Return-Path: Received: from londo.swishmail.com (londo.swishmail.com [209.10.110.95]) by virtu.nyphp.org (Postfix) with ESMTP id CDA82A85FD for ; Thu, 4 Dec 2003 13:21:44 -0500 (EST) Received: (qmail 7739 invoked by uid 89); 4 Dec 2003 18:21:44 -0000 Received: from unknown (HELO nyphp.com) (hans not junk at nyphp.com@128.122.155.151) by londo.swishmail.com with AES256-SHA encrypted SMTP; 4 Dec 2003 18:21:44 -0000 Message-ID: <3FCF7B7C.40202 at nyphp.com> Date: Thu, 04 Dec 2003 13:22:52 -0500 From: Hans Zaunere User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: NYPHP Talk Subject: Re: [nycphp-talk] security? we don't need no stinkin security! References: <000801c3ba86$a6e3d940$bf8d3818 at oberon1> In-Reply-To: <000801c3ba86$a6e3d940$bf8d3818 at oberon1> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: talk at lists.nyphp.org X-Mailman-Version: 2.1.2 Precedence: list Reply-To: NYPHP Talk List-Id: NYPHP Talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2003 18:21:45 -0000 Tim Gales wrote: > H writes: > "...PEAR doesn't do this for a number of reasons..." > > Is it fair to characterize your response as: > > 1) Not modular (too interconnected) > 2) Complex (large) making it: > 2a) hard to maintain > 2b) slow > 2c) prone to security flaws Yes, albeit taken out of context it sounds very harsh :) In all, I feel that these points hold true in any environment, PHP/PEAR or not. H From danielk at us.ibm.com Thu Dec 4 14:47:23 2003 From: danielk at us.ibm.com (Daniel Krook) Date: Thu, 4 Dec 2003 14:47:23 -0500 Subject: [nycphp-talk] Syndication In-Reply-To: <3FCF7B1F.1020308@nyphp.com> Message-ID: Creating our own feed would be easier than it was to create the aggregator. And we can reuse much of the same code that we currently use for "Hot Threads" on the left nav. I actually threw together an RSS 2.0 feed last night for one of my own sites in less than 20 minutes - right after discovering the coolness that is FeedDemon (from the guy that wrote HomeSite and currently develops TopStyle) http://bradsoft.com/feeddemon/ I say we tack it on to next week's development meeting agenda. > We don't - and it would :) We already have an aggreation page at > http://nyphp.org/content/rss/ but nothing to feed our content out. > > H Daniel Krook, Application Developer, Production Services, ibm.com 1133 Westchester Avenue, White Plains, NY 10604 Tel: (914) 642-4474, Tieline 224-4474 danielk at us.ibm.com Personal: http://info.krook.org/ Persona: http://w3.ibm.com/persona/users/9/0/x/90MC212-P.html From Kbedi at inta.org Thu Dec 4 14:54:28 2003 From: Kbedi at inta.org (Kshitij Bedi) Date: Thu, 4 Dec 2003 14:54:28 -0500 Subject: [nycphp-talk] Smarty String Comparison Message-ID: Hi there Can someone tell me how to do case insensitive string comparison in smarty templates. and also how to trim strings while comparing them. For e.g. {if $var == "Var"} Display {/if} if this is the statement how to I change it so that it trims $var and does a case insensitive compare with "Var" From adam at trachtenberg.com Thu Dec 4 14:57:30 2003 From: adam at trachtenberg.com (Adam Maccabee Trachtenberg) Date: Thu, 4 Dec 2003 14:57:30 -0500 (EST) Subject: [nycphp-talk] Smarty String Comparison In-Reply-To: References: Message-ID: On Thu, 4 Dec 2003, Kshitij Bedi wrote: > For e.g. > {if $var == "Var"} Display {/if} Does something like this work? {if $var|lower == "var"} Display {/if} -adam -- adam at trachtenberg.com author of o'reilly's php cookbook avoid the holiday rush, buy your copy today! From keith.richardson at thompsonhealth.com Thu Dec 4 14:58:37 2003 From: keith.richardson at thompsonhealth.com (Keith Richardson) Date: Thu, 4 Dec 2003 14:58:37 -0500 Subject: [nycphp-talk] Smarty String Comparison In-Reply-To: <4A34D0947B38AF4D8629DA86655D59069153D7@ffth-exc01.thompsonhealth.org> Message-ID: <4A34D0947B38AF4D8629DA86655D5906C13A@ffth-exc01.thompsonhealth.org> You would need to change the case of the string, say strtolower($var) == "var" if you want to compare a substring, use the function substr ($var, $start, $end) so if you wanted to compare the first 3 characters of $var to see if they matched var, you would do if (strtolower(substr($var,0,3)) == "var") { dosomething; } -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]On Behalf Of Kshitij Bedi Sent: Thursday, December 04, 2003 2:54 PM To: 'NYPHP Talk' Subject: [nycphp-talk] Smarty String Comparison Hi there Can someone tell me how to do case insensitive string comparison in smarty templates. and also how to trim strings while comparing them. For e.g. {if $var == "Var"} Display {/if} if this is the statement how to I change it so that it trims $var and does a case insensitive compare with "Var" _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk From Kbedi at inta.org Thu Dec 4 15:02:26 2003 From: Kbedi at inta.org (Kshitij Bedi) Date: Thu, 4 Dec 2003 15:02:26 -0500 Subject: [nycphp-talk] Smarty String Comparison Message-ID: Would the strtolower function work inside a smarty template? -----Original Message----- From: Keith Richardson [mailto:keith.richardson at thompsonhealth.com] Sent: Thursday, December 04, 2003 2:59 PM To: 'NYPHP Talk' Subject: RE: [nycphp-talk] Smarty String Comparison You would need to change the case of the string, say strtolower($var) == "var" if you want to compare a substring, use the function substr ($var, $start, $end) so if you wanted to compare the first 3 characters of $var to see if they matched var, you would do if (strtolower(substr($var,0,3)) == "var") { dosomething; } -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]On Behalf Of Kshitij Bedi Sent: Thursday, December 04, 2003 2:54 PM To: 'NYPHP Talk' Subject: [nycphp-talk] Smarty String Comparison Hi there Can someone tell me how to do case insensitive string comparison in smarty templates. and also how to trim strings while comparing them. For e.g. {if $var == "Var"} Display {/if} if this is the statement how to I change it so that it trims $var and does a case insensitive compare with "Var" _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk From keith.richardson at thompsonhealth.com Thu Dec 4 15:04:27 2003 From: keith.richardson at thompsonhealth.com (Keith Richardson) Date: Thu, 4 Dec 2003 15:04:27 -0500 Subject: [nycphp-talk] Smarty String Comparison In-Reply-To: <4A34D0947B38AF4D8629DA86655D59069153DA@ffth-exc01.thompsonhealth.org> Message-ID: <4A34D0947B38AF4D8629DA86655D5906C13B@ffth-exc01.thompsonhealth.org> Sorry, i just did it in php :/ the thing was solved in a previous post before i sent it, then realized it was about smarty :/ it can be found http://smarty.php.net/manual/en/language.modifier.lower.php -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]On Behalf Of Kshitij Bedi Sent: Thursday, December 04, 2003 3:02 PM To: 'NYPHP Talk' Subject: RE: [nycphp-talk] Smarty String Comparison Would the strtolower function work inside a smarty template? -----Original Message----- From: Keith Richardson [mailto:keith.richardson at thompsonhealth.com] Sent: Thursday, December 04, 2003 2:59 PM To: 'NYPHP Talk' Subject: RE: [nycphp-talk] Smarty String Comparison You would need to change the case of the string, say strtolower($var) == "var" if you want to compare a substring, use the function substr ($var, $start, $end) so if you wanted to compare the first 3 characters of $var to see if they matched var, you would do if (strtolower(substr($var,0,3)) == "var") { dosomething; } -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]On Behalf Of Kshitij Bedi Sent: Thursday, December 04, 2003 2:54 PM To: 'NYPHP Talk' Subject: [nycphp-talk] Smarty String Comparison Hi there Can someone tell me how to do case insensitive string comparison in smarty templates. and also how to trim strings while comparing them. For e.g. {if $var == "Var"} Display {/if} if this is the statement how to I change it so that it trims $var and does a case insensitive compare with "Var" _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk From Kbedi at inta.org Thu Dec 4 15:07:53 2003 From: Kbedi at inta.org (Kshitij Bedi) Date: Thu, 4 Dec 2003 15:07:53 -0500 Subject: [nycphp-talk] Smarty String Comparison Message-ID: Thanks, This worked for me trim(strtolower($var) == "var" -----Original Message----- From: Kshitij Bedi [mailto:Kbedi at inta.org] Sent: Thursday, December 04, 2003 3:02 PM To: 'NYPHP Talk' Subject: RE: [nycphp-talk] Smarty String Comparison Would the strtolower function work inside a smarty template? -----Original Message----- From: Keith Richardson [mailto:keith.richardson at thompsonhealth.com] Sent: Thursday, December 04, 2003 2:59 PM To: 'NYPHP Talk' Subject: RE: [nycphp-talk] Smarty String Comparison You would need to change the case of the string, say strtolower($var) == "var" if you want to compare a substring, use the function substr ($var, $start, $end) so if you wanted to compare the first 3 characters of $var to see if they matched var, you would do if (strtolower(substr($var,0,3)) == "var") { dosomething; } -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]On Behalf Of Kshitij Bedi Sent: Thursday, December 04, 2003 2:54 PM To: 'NYPHP Talk' Subject: [nycphp-talk] Smarty String Comparison Hi there Can someone tell me how to do case insensitive string comparison in smarty templates. and also how to trim strings while comparing them. For e.g. {if $var == "Var"} Display {/if} if this is the statement how to I change it so that it trims $var and does a case insensitive compare with "Var" _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk From Kbedi at inta.org Thu Dec 4 15:09:38 2003 From: Kbedi at inta.org (Kshitij Bedi) Date: Thu, 4 Dec 2003 15:09:38 -0500 Subject: [nycphp-talk] Smarty String Comparison Message-ID: Thank you Keith -----Original Message----- From: Keith Richardson [mailto:keith.richardson at thompsonhealth.com] Sent: Thursday, December 04, 2003 3:04 PM To: 'NYPHP Talk' Subject: RE: [nycphp-talk] Smarty String Comparison Sorry, i just did it in php :/ the thing was solved in a previous post before i sent it, then realized it was about smarty :/ it can be found http://smarty.php.net/manual/en/language.modifier.lower.php -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]On Behalf Of Kshitij Bedi Sent: Thursday, December 04, 2003 3:02 PM To: 'NYPHP Talk' Subject: RE: [nycphp-talk] Smarty String Comparison Would the strtolower function work inside a smarty template? -----Original Message----- From: Keith Richardson [mailto:keith.richardson at thompsonhealth.com] Sent: Thursday, December 04, 2003 2:59 PM To: 'NYPHP Talk' Subject: RE: [nycphp-talk] Smarty String Comparison You would need to change the case of the string, say strtolower($var) == "var" if you want to compare a substring, use the function substr ($var, $start, $end) so if you wanted to compare the first 3 characters of $var to see if they matched var, you would do if (strtolower(substr($var,0,3)) == "var") { dosomething; } -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]On Behalf Of Kshitij Bedi Sent: Thursday, December 04, 2003 2:54 PM To: 'NYPHP Talk' Subject: [nycphp-talk] Smarty String Comparison Hi there Can someone tell me how to do case insensitive string comparison in smarty templates. and also how to trim strings while comparing them. For e.g. {if $var == "Var"} Display {/if} if this is the statement how to I change it so that it trims $var and does a case insensitive compare with "Var" _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk From dmintz at davidmintz.org Thu Dec 4 17:58:44 2003 From: dmintz at davidmintz.org (David Mintz) Date: Thu, 4 Dec 2003 17:58:44 -0500 (EST) Subject: [nycphp-talk] PEAR (was: ..we don't need no stinkin security!) In-Reply-To: <3FCF7B7C.40202@nyphp.com> Message-ID: What does anyone else think of PEAR? Here I was believing the hype about the great quality... and increasingly, using PEAR. Just now I've been playing with the Auth package and it certainly is not hard to set up. ergo, from my point of view, not inordinately complex. I assume you Cookbook guys have nothing against PEAR, n'est-ce pas? On Thu, 4 Dec 2003, Hans Zaunere wrote: > > > Tim Gales wrote: > > > H writes: > > "...PEAR doesn't do this for a number of reasons..." > > > > Is it fair to characterize your response as: > > > > 1) Not modular (too interconnected) > > 2) Complex (large) making it: > > 2a) hard to maintain > > 2b) slow > > 2c) prone to security flaws > > Yes, albeit taken out of context it sounds very harsh :) > > In all, I feel that these points hold true in any environment, PHP/PEAR or not. > --- David Mintz http://davidmintz.org/ "Anybody else got a problem with Webistics?" Sopranos 24:17 From jlacey at att.net Thu Dec 4 18:21:40 2003 From: jlacey at att.net (John Lacey) Date: Thu, 04 Dec 2003 16:21:40 -0700 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <3FCDE64D.10606@chxo.com> References: <009a01c3b99e$75995420$bf8d3818@oberon1> <3FCDE64D.10606@chxo.com> Message-ID: <3FCFC184.4020306@att.net> Chris Snyder wrote: > Tim Gales wrote: > >> John Lacey writes: >> ".. wouldn't it be nice if well-designed secure components (pcom?) >> were available that one could go to the 'lego box' and pull out what >> you need to put it together..." >> >> Are you saying that Pear doesn't dot this? >> >> > "Well-designed" and "secure" mean different things to different folks, > but classes generic enough to be used as lego blocks have a hard time > earning those descriptions. > > answering one generalization with another wasn't exactly what I had in mind, but on the other hand, I probably deserved it John From jsiegel1 at optonline.net Thu Dec 4 18:56:00 2003 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Thu, 04 Dec 2003 18:56:00 -0500 Subject: [nycphp-talk] For the NYPHP Party Message-ID: <3FCFC990.3080903@optonline.net> Since it is mentioned on the home page of the site that the party will make it possible to "Put faces to email address"...I thought it might be a good idea if we wore name tags that had our email address on it. Whadda ya think? Jeff Siegel -- Found on the Simpson's Website: "Ooooooh, they have the internet on computers now!" From jlacey at att.net Thu Dec 4 19:34:50 2003 From: jlacey at att.net (John Lacey) Date: Thu, 04 Dec 2003 17:34:50 -0700 Subject: [nycphp-talk] For the NYPHP Party In-Reply-To: <3FCFC990.3080903@optonline.net> References: <3FCFC990.3080903@optonline.net> Message-ID: <3FCFD2AA.5070200@att.net> SOME_L33T_DUDE_FROM_HELL'S_KITCHEN_AT_NOSPAM_REMOVE_THIS_BEFORE_SENDING at WHOKNOWSWHERE.ORG I couldn't resist :) Jeff Siegel wrote: > Since it is mentioned on the home page of the site that the party will > make it possible to "Put faces to email address"...I thought it might be > a good idea if we wore name tags that had our email address on it. > > Whadda ya think? > > Jeff Siegel > From dmintz at davidmintz.org Thu Dec 4 19:37:40 2003 From: dmintz at davidmintz.org (David Mintz) Date: Thu, 4 Dec 2003 19:37:40 -0500 (EST) Subject: [nycphp-talk] For the NYPHP Party In-Reply-To: <3FCFC990.3080903@optonline.net> Message-ID: Better yet, a tag that says: "From: Firstname Lastname " On Thu, 4 Dec 2003, Jeff Siegel wrote: > Since it is mentioned on the home page of the site that the party will > make it possible to "Put faces to email address"...I thought it might be > a good idea if we wore name tags that had our email address on it. > > Whadda ya think? --- David Mintz http://davidmintz.org/ "Anybody else got a problem with Webistics?" Sopranos 24:17 From jsiegel1 at optonline.net Thu Dec 4 20:18:41 2003 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Thu, 04 Dec 2003 20:18:41 -0500 Subject: [nycphp-talk] For the NYPHP Party In-Reply-To: References: Message-ID: <3FCFDCF1.5010404@optonline.net> Excellent!! Anyone wanna volunteer to make up these tags? I have the list of attendees. Jeff Siegel David Mintz wrote: > Better yet, a tag that says: > > "From: Firstname Lastname " > > On Thu, 4 Dec 2003, Jeff Siegel wrote: > > >>Since it is mentioned on the home page of the site that the party will >>make it possible to "Put faces to email address"...I thought it might be >>a good idea if we wore name tags that had our email address on it. >> >>Whadda ya think? > > > > --- > David Mintz > http://davidmintz.org/ > > "Anybody else got a problem with Webistics?" > > Sopranos 24:17 > > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > -- Found on the Simpson's Website: "Ooooooh, they have the internet on computers now!" From felix at students.poly.edu Thu Dec 4 20:11:23 2003 From: felix at students.poly.edu (felix zaslavskiy) Date: Thu, 4 Dec 2003 20:11:23 -0500 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <005b01c3b8eb$4dc7f040$bf8d3818@oberon1> References: <20031202044036.34245.qmail@web14307.mail.yahoo.com> <005b01c3b8eb$4dc7f040$bf8d3818@oberon1> Message-ID: <20031204201123.54497283.felix@students.poly.edu> What about vBulletin ? Its pretty good and does not cost that much. On Tue, 2 Dec 2003 10:45:24 -0500 "Tim Gales" wrote: > Chris Shiflett wrote: > "Yeah, someone really needs to write a forum in PHP that doesn't suck." > and "It's a shame that there are Perl applications that fit these needs > but no decent PHP representation." > > I have been meaning to take a look at the following: > http://www.yabbse.org/ > > It is a php conversion of YABB at > http://www.yabbforum.com/ > > YABB was done in Perl and is highly > touted (at least at Tucows) > > YABBSE was done in PHP. > > What caught my eye was the following quote from > the yabbse.org page: > "I checked my bandwidth with YaBB SE and its over 2 days 338 mb. When I > had YaBB gold it was close to a GIG a day" > > If the guy who said that is really on the level (I don't doubt his > honesty but there may have been fewer users doing fewer things) > that would mean PHP is approaching six times more efficient than > Perl. > > I wish I could find time to check the two implementations to > see where PHP is more efficient than Perl. > > T. Gales & Associates > 'Helping People Connect with Technology' > > http://www.tgaconnect.com > > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > From tgales at tgaconnect.com Thu Dec 4 21:22:51 2003 From: tgales at tgaconnect.com (Tim Gales) Date: Thu, 4 Dec 2003 21:22:51 -0500 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <20031204201123.54497283.felix@students.poly.edu> Message-ID: <002401c3bad6$af3b69a0$bf8d3818@oberon1> felix zaslavskiy writes: > What about vBulletin ? > Its pretty good and does not cost that much. > Yes, vBulletin does looks pretty good. And I think it was under consideration for NYPHP. I am not sure why it wasn't chosen. (I do recall Hans saying something like buying a license for something was definitely an option -- so price was not an issue) The impression I got was that some members already were experienced with Invision -- so we went with that. Anyway the present forum (Invision) is a short term solution -- the long term solution is going to be to build as Chris Shiflett put it earlier ('twas oft thought but ne're so well expressed) "...a forum in PHP that doesn't suck." Maybe you could start a topic in the NYPHP forums describing vBulletins best features. In it you could ask for opinions about which features people think would be of most value for the new forum which is in the works. T. Gales & Associates 'Helping People Connect with Technology' http://www.tgaconnect.com From lists at ny-tech.net Thu Dec 4 21:28:56 2003 From: lists at ny-tech.net (Nasir Zubair) Date: Thu, 4 Dec 2003 21:28:56 -0500 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <002401c3bad6$af3b69a0$bf8d3818@oberon1> Message-ID: <000301c3bad7$89f00790$6401a8c0@main> > Yes, vBulletin does looks pretty good. And I > think it was under consideration for NYPHP. > > I am not sure why it wasn't chosen. > (I do recall Hans saying something > like buying a license for something > was definitely an option -- so price > was not an issue) > The impression I got was that some > members already were experienced with > Invision -- so we went with that. I believe it was mentioned that the main reason for picking IPB was that it is "opensource". I can't recall where it was said, but am pretty sure that I can find the message :-) From felix at students.poly.edu Thu Dec 4 21:38:17 2003 From: felix at students.poly.edu (felix zaslavskiy) Date: Thu, 4 Dec 2003 21:38:17 -0500 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <002401c3bad6$af3b69a0$bf8d3818@oberon1> References: <20031204201123.54497283.felix@students.poly.edu> <002401c3bad6$af3b69a0$bf8d3818@oberon1> Message-ID: <20031204213817.2ad22ace.felix@students.poly.edu> I am not too experienced with forums as far as aministrating them and such. I noticed forums with large numbers of posts choose vBulletin. For example sitepointforums.com has over a million posts and straightdope.com has over 4million posts. What I like about vBulletin is that its very user friendly. It just works like you would expect it too so you would never think the software is getting in the way. When the software becomes so instictive that you stop knowing its there then you know its pretty user friendly. On Thu, 4 Dec 2003 21:22:51 -0500 "Tim Gales" wrote: > felix zaslavskiy writes: > > What about vBulletin ? > > Its pretty good and does not cost that much. > > > Yes, vBulletin does looks pretty good. And I > think it was under consideration for NYPHP. > > I am not sure why it wasn't chosen. > (I do recall Hans saying something > like buying a license for something > was definitely an option -- so price > was not an issue) > The impression I got was that some > members already were experienced with > Invision -- so we went with that. > > Anyway the present forum (Invision) is a short term > solution -- the long term solution is going to be > to build as Chris Shiflett put it earlier > ('twas oft thought but ne're so well expressed) > "...a forum in PHP that doesn't suck." > > Maybe you could start a topic in the NYPHP > forums describing vBulletins best features. > In it you could ask for opinions about which > features people think would be of most value > for the new forum which is in the works. > > T. Gales & Associates > 'Helping People Connect with Technology' > > http://www.tgaconnect.com > > > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > From danielc at analysisandsolutions.com Thu Dec 4 22:17:19 2003 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Thu, 4 Dec 2003 22:17:19 -0500 Subject: [nycphp-talk] PEAR (was: ..we don't need no stinkin security!) In-Reply-To: References: <3FCF7B7C.40202@nyphp.com> Message-ID: <20031205031719.GA29512@panix.com> Heya: On Thu, Dec 04, 2003 at 05:58:44PM -0500, David Mintz wrote: > > What does anyone else think of PEAR? I've been using the DB package for the ST Parser sports data project, because I want my program to run on lots of different DBMS's. This package in particular is good, and with a bit of touch up work, could be great. I have tried, and continue try, to contribute to it. Unfortunately, the developers could do a better job of listening, accepting submissions and answering a few obscure, but key, questions which would help me help them. I think I'm close to getting some improvements in there. Fortunately, there are some energenic new people involved. Plus, each package has a different maintainer, so mileage may vary. Also, a new governing body has been established to help coordinate/plan things. Standards for documentation and other things have been put in place, which is great. Well, that's all for now, --Dan -- FREE scripts that make web and database programming easier http://www.analysisandsolutions.com/software/ T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7th Ave #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 From lists at ny-tech.net Thu Dec 4 23:19:36 2003 From: lists at ny-tech.net (Nasir Zubair) Date: Thu, 4 Dec 2003 23:19:36 -0500 Subject: [nycphp-talk] Searching DMOZ using PHP. Message-ID: <000601c3bae6$ff4a7520$6401a8c0@main> Hello everyone, I did a project about a year ago which interfaced with DMOZ for DMOZ directories and search results. What client wanted was to list results from his own database on top and then list DMOZ results. I implemented a fairly straight forward caching system for the categories since they are not updated as often. But the searching part is directly fetched from DMOZ for every search. Here is what I used back then to get search results: =============================== // prepare search URL for DMOZ. $searchurl = $searchurl . $searchstring . ($start == "" ? "" : "&start=" . $start ) . ($morecat == "" ? "" : "&morecat=" . $morecat); $fp = fopen( $searchurl, "r" ); $html = join( "", file( $searchurl ) ); fclose ( $fp ); =============================== I have been contacted by the client to revise the code. Along with a few other things, search results retrieval from DMOZ needs to be looked at again and optimized. I need suggestions as to how I can change the above code to make it better. Storing RDF dump on the local server is out of the question, as the site is on a shared server and will not have enough disk space to fit the dump onto disk/database. Thanks, Nasir From danielc at analysisandsolutions.com Thu Dec 4 23:48:43 2003 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Thu, 4 Dec 2003 23:48:43 -0500 Subject: [nycphp-talk] Searching DMOZ using PHP. In-Reply-To: <000601c3bae6$ff4a7520$6401a8c0@main> References: <000601c3bae6$ff4a7520$6401a8c0@main> Message-ID: <20031205044843.GA7146@panix.com> On Thu, Dec 04, 2003 at 11:19:36PM -0500, Nasir Zubair wrote: > $searchurl = $searchurl . $searchstring . ($start == "" ? "" : "&start=" . > $start ) . > ($morecat == "" ? "" : "&morecat=" . $morecat); In that syntax, use ' instead of ". I'd break that up for clarity. But, of course, that's a style question... $searchurl = $searchurl . $searchstring; if ($start) { $searchurl .= "&start=$start"; } if ($morecat) { $searchurl .= "&morecat=$morecat"; } Some folks might change those if's into one liners, but "that's not my style." > $fp = fopen( $searchurl, "r" ); > $html = join( "", file( $searchurl ) ); > fclose ( $fp ); $html = file_get_contents($searchurl); --Dan -- FREE scripts that make web and database programming easier http://www.analysisandsolutions.com/software/ T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7th Ave #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 From shawn at shawnlawyer.com Fri Dec 5 09:22:13 2003 From: shawn at shawnlawyer.com (Shawn Lawyer) Date: Fri, 5 Dec 2003 09:22:13 -0500 Subject: [nycphp-talk] For the NYPHP Party References: <3FCFDCF1.5010404@optonline.net> Message-ID: <000901c3bb3b$2dd7ae40$ae40c718@Della> moo, i'll make the. what about the printing though. i'd be doing it in illustrator. they could be printed at say knikos or anywhere that there is a printer that can print eps. shawn lawyer ----- Original Message ----- From: "Jeff Siegel" To: "NYPHP Talk" Sent: Thursday, December 04, 2003 8:18 PM Subject: Re: [nycphp-talk] For the NYPHP Party > Excellent!! > > Anyone wanna volunteer to make up these tags? I have the list of attendees. > > Jeff Siegel > > David Mintz wrote: > > > Better yet, a tag that says: > > > > "From: Firstname Lastname " > > > > On Thu, 4 Dec 2003, Jeff Siegel wrote: > > > > > >>Since it is mentioned on the home page of the site that the party will > >>make it possible to "Put faces to email address"...I thought it might be > >>a good idea if we wore name tags that had our email address on it. > >> > >>Whadda ya think? > > > > > > > > --- > > David Mintz > > http://davidmintz.org/ > > > > "Anybody else got a problem with Webistics?" > > > > Sopranos 24:17 > > > > > > _______________________________________________ > > talk mailing list > > talk at lists.nyphp.org > > http://lists.nyphp.org/mailman/listinfo/talk > > > > -- > Found on the Simpson's Website: "Ooooooh, they have the internet on > computers now!" > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > From nyphp at websapp.com Fri Dec 5 09:36:52 2003 From: nyphp at websapp.com (Daniel Kushner) Date: Fri, 5 Dec 2003 09:36:52 -0500 Subject: [nycphp-talk] For the NYPHP Party In-Reply-To: <000901c3bb3b$2dd7ae40$ae40c718@Della> Message-ID: > moo, > i'll make the. what about the printing though. i'd be doing it > in illustrator. they could be printed at say knikos or anywhere > that there is a printer that can print eps. > shawn lawyer Hi Shawn, New York PHP has a budget for these things. Try to get a quote for Kinkos and let me know how much it is. Best, Daniel From jeffb at uniquephoto.com Fri Dec 5 10:36:21 2003 From: jeffb at uniquephoto.com (Jeff Barrett) Date: Fri, 5 Dec 2003 10:36:21 -0500 Subject: [nycphp-talk] array of object being passed by reference problem Message-ID: I have the following test script: setVar($i); $this->objs[] = $o; } } function setVar( $id ) { $this->junk = $id; print "set ".$this->junk."
"; } function getObjs() { return $this->objs; } function printall() { foreach($this->objs as $pos => $o ) { print "print ".$o->junk."
"; } } } $obj = new testObj(); $obj->populate(); $objs = &$obj->getObjs(); print "
"; foreach($objs as $pos => $o ) { print $o->junk."
"; } foreach( $objs as $pos => $o ) { $o->setVar("aa".$pos); print "
"; } foreach( $objs as $pos => $o ) { print $o->junk."
"; } $obj->printall(); ?> Which is putting out the following to the screen: set 0 set 1 set 2 set 3 set 4 0 1 2 3 4 set aa0 set aa1 set aa2 set aa3 set aa4 0 1 2 3 4 print 0 print 1 print 2 print 3 print 4 The problem, after the set aa0...aa4 lines I should not be seeing 0...4 and print 0...print 1. I should be seeing aa0...aa4 and print aa0...print aa4. The problem seems to lie in how I am passing the array of objects to the calling program and then having those changes be a part of the object, seems like I am just changing a copy of the object since the changes are not sticking. Any help with this would be greatly appreciated. Thanks, Jeff Barrett Email: jeffb at uniquephoto.com IM: jeffreyabarrett Phone: 973-377-5555 ext 205 From dmintz at davidmintz.org Fri Dec 5 11:27:07 2003 From: dmintz at davidmintz.org (David Mintz) Date: Fri, 5 Dec 2003 11:27:07 -0500 (EST) Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <000801c3ba86$a6e3d940$bf8d3818@oberon1> Message-ID: On Thu, 4 Dec 2003, Tim Gales wrote: > Is it fair to characterize your response as: > > 1) Not modular (too interconnected) > Help out a comparative beginner here. Why is interdependency a bad thing? If A, B and C depend on Y, it means they are all (re-)using Y, which leads -- does it not? -- into the virtuous circle of code re-use: code getting used, bugs getting discovered, followed by bugs getting fixed, leading to more robust code, hence more re-use. Yeah, I can see where parsing and loading 2500 lines of code of which you only need %10 is a performance hit in an interpreted language, -- leaner and meaner equals faster. But doesn't hardware evolve in the direction of faster, and isn't PHP itself's performance being improved so that it's ever faster at loading PHP code? Thanks. --- David Mintz http://davidmintz.org/ "Anybody else got a problem with Webistics?" Sopranos 24:17 From adam at trachtenberg.com Fri Dec 5 11:34:09 2003 From: adam at trachtenberg.com (Adam Maccabee Trachtenberg) Date: Fri, 5 Dec 2003 11:34:09 -0500 (EST) Subject: [nycphp-talk] array of object being passed by reference problem In-Reply-To: References: Message-ID: On Fri, 5 Dec 2003, Jeff Barrett wrote: > The problem seems to lie in how I am passing the array of objects to the > calling program and then having those changes be a part of the object, seems > like I am just changing a copy of the object since the changes are not > sticking. Any help with this would be greatly appreciated. Welcome to life with PHP 4. Your code does what you want under PHP 5. -adam -- adam at trachtenberg.com author of o'reilly's php cookbook avoid the holiday rush, buy your copy today! From shiflett at php.net Fri Dec 5 11:48:01 2003 From: shiflett at php.net (Chris Shiflett) Date: Fri, 5 Dec 2003 08:48:01 -0800 (PST) Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: Message-ID: <20031205164802.24768.qmail@web14305.mail.yahoo.com> --- David Mintz wrote: > Help out a comparative beginner here. Why is interdependency a bad > thing? If A, B and C depend on Y, it means they are all (re-)using Y, > which leads -- does it not? -- into the virtuous circle of code > re-use: code getting used, bugs getting discovered, followed by bugs > getting fixed, leading to more robust code, hence more re-use. I think the argument goes something like this: Each module should do one thing and do it well (ala Unix philosophy). For example, on a Unix system, I can grep through the output of ps by doing something likethis: ps | grep foo Both grep and foo are independent, but they can be combined. Code can work in much the same way. If grep cannot be used without ps, or if ps cannot be used without grep, this would be seen by many as a shortcoming. Hope that helps. I can elaborate, but that's the basic idea. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ From dmintz at davidmintz.org Fri Dec 5 11:53:01 2003 From: dmintz at davidmintz.org (David Mintz) Date: Fri, 5 Dec 2003 11:53:01 -0500 (EST) Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <20031205164802.24768.qmail@web14305.mail.yahoo.com> Message-ID: On Fri, 5 Dec 2003, Chris Shiflett wrote: > I think the argument goes something like this: > > Each module should do one thing and do it well (ala Unix philosophy). For > example, on a Unix system, I can grep through the output of ps by doing > something likethis: > > ps | grep foo > > Both grep and foo are independent, but they can be combined. Code can work > in much the same way. If grep cannot be used without ps, or if ps cannot > be used without grep, this would be seen by many as a shortcoming. > > Hope that helps. I can elaborate, but that's the basic idea. I get it. Thanks. David From dmintz at davidmintz.org Fri Dec 5 12:07:18 2003 From: dmintz at davidmintz.org (David Mintz) Date: Fri, 5 Dec 2003 12:07:18 -0500 (EST) Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: Message-ID: On second thought: Suppose -- just hypothetically -- I write a shell script that greps the ps output for a user-specified string. I could say, here's my shell script and you're welcome to use it, but it depends on ps and grep being installed on your system. Is it not a good shell script? Should it have its own ps and grep functionality built in, independently? fwiw, I'm not arguing for argument's sake, just trying to learn stuff from y'all. thanks. On Fri, 5 Dec 2003, David Mintz wrote: > On Fri, 5 Dec 2003, Chris Shiflett wrote: > > > I think the argument goes something like this: > > > > Each module should do one thing and do it well (ala Unix philosophy). For > > example, on a Unix system, I can grep through the output of ps by doing > > something likethis: > > > > ps | grep foo > > > > Both grep and foo are independent, but they can be combined. Code can work > > in much the same way. If grep cannot be used without ps, or if ps cannot > > be used without grep, this would be seen by many as a shortcoming. > > > > Hope that helps. I can elaborate, but that's the basic idea. > > I get it. Thanks. > > David > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > --- David Mintz http://davidmintz.org/ ATTN Everybody: dmintz at panix.com will be unplugged as of 01-Dec-2003! Please use dmintz at davidmintz.org "Anybody else got a problem with Webistics?" Sopranos 24:17 From csnyder at chxo.com Fri Dec 5 12:35:50 2003 From: csnyder at chxo.com (Chris Snyder) Date: Fri, 05 Dec 2003 12:35:50 -0500 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: References: Message-ID: <3FD0C1F6.7030802@chxo.com> David Mintz wrote: >Yeah, I can see where parsing and loading 2500 lines of code of which you >only need %10 is a performance hit in an interpreted language, -- leaner >and meaner equals faster. But doesn't hardware evolve in the direction of >faster, and isn't PHP itself's performance being improved so that it's >ever faster at loading PHP code? > > It's not just the performance hit -- which can be significant (fear the Smarty demo) -- there may be security implications as well. (back to the subject line?) For rapid development or prototyping, there is no question that (re)using classes a la Pear is an attractive option. Certainly for specialized tasks (parsing mp3 ID3 tags comes to mind). But at some point, you have to take a hard look at the 90% that you're not using, and consider writing bespoke classes. Do this a few times and you begin to see Pear as not so useful. The nice thing about OO is that the rewrite only has to implement the bits of the original API that your application uses. Not painless, but not so bad, either. Unless the class you're replacing had an inefficient way of doing things... csnyder From csnyder at chxo.com Fri Dec 5 12:37:34 2003 From: csnyder at chxo.com (Chris Snyder) Date: Fri, 05 Dec 2003 12:37:34 -0500 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: References: Message-ID: <3FD0C25E.1020406@chxo.com> David Mintz wrote: >Should it have >its own ps and grep functionality built in, independently? > > No -- but it should allow me to easily configure the path to both ps and grep, just in case I want to use superPs and superGrep instead. From jlacey at att.net Fri Dec 5 12:37:56 2003 From: jlacey at att.net (John Lacey) Date: Fri, 05 Dec 2003 10:37:56 -0700 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <3FD0C1F6.7030802@chxo.com> References: <3FD0C1F6.7030802@chxo.com> Message-ID: <3FD0C274.5000309@att.net> Chris Snyder wrote: >> > It's not just the performance hit -- which can be significant (fear the > Smarty demo) -- there may be security implications as well. (back to the > subject line?) > Chris, can you elaborate on the Smarty performance a tad? thanks, John From shiflett at php.net Fri Dec 5 12:43:24 2003 From: shiflett at php.net (Chris Shiflett) Date: Fri, 5 Dec 2003 09:43:24 -0800 (PST) Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: Message-ID: <20031205174324.20439.qmail@web14310.mail.yahoo.com> --- David Mintz wrote: > Suppose -- just hypothetically -- I write a shell script that greps > the ps output for a user-specified string. I could say, here's my > shell script and you're welcome to use it, but it depends on ps and > grep being installed on your system. Is it not a good shell script? I think it's a fine shell script, but it might not be such a good module, if that makes sense. If someone comes along and decides that they want the functionality of ps, grep, and something else, they should use grep and ps separately rather than your script. I'm not saying I'm dead set on this approach, but I understand the argument. On the other side, such abstraction can potentially be a good thing. I think it really depends on the situation and your personal preference. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ From james at surgam.net Fri Dec 5 12:49:12 2003 From: james at surgam.net (James Wetterau) Date: Fri, 05 Dec 2003 12:49:12 -0500 Subject: [nycphp-talk] security? we don't need no stinkin security! Message-ID: <200312051749.hB5HnCV08921@panix2.panix.com> David Mintz says: ... > > Suppose -- just hypothetically -- I write a shell script that greps the ps > output for a user-specified string. I could say, here's my shell script > and you're welcome to use it, but it depends on ps and grep being > installed on your system. Is it not a good shell script? Should it have > its own ps and grep functionality built in, independently? I would say it should certainly not have that functionality built in, since anywhere you can run your shell script, including Windows using Cygwin or the like, you can get ps or grep. So why reinvent the wheel? The codebase behind ps and grep is likely to have benefited from all kinds of improvements over the years. However, compatibility is a somewhat knotty problem, which things like Posix attempt to address. There will always be tradeoffs in such decisions. An example of an interesting decision to the contrary occurred when Tom Christiansen of Perl fame got fed up with the absence of consistent shell tools for use in Perl scripting of systems tasks. He spearheaded an effort under the name "Perl Power Tools" to re-write in pure Perl a lot of the typical tools you might find in /bin, /usr/bin and /usr/local/bin on a BSD system. The idea was that when done, anywhere you could run Perl you could always have cat, grep, find, tset, stty, ls -- even awk -- by loading the appropriate Perl module, in case the tools weren't available in native C implementations. I'm not sure what came of that project. However, I think it is interesting that the effort recognized the value of the particular historic Unix tool set and didn't attempt to redesign them. The notion was to deal with systems where there might well not be a a ps or grep yet, which is probably not the case when shell scripting. Another interesting alternative approach is embodied in the "BusyBox" tool: http://www.busybox.net/downloads/BusyBox.html BusyBox unifies the executable, but keeps the separate interface. BusyBox is also meeting a niche need: very constrained memory environments that want the traditional Unix toolkit. In my humble opinion, issues of what to keep separate, what to unify, where interface lines should be drawn, when to reuse, when to reimplement, and how best to modularize code are the most complex area of freedom to deal with intelligently in just about any programming task, and there is no simple rule for doing it right. Your individual situation should always guide your decision. > fwiw, I'm not arguing for argument's sake, just trying to learn stuff from > y'all. thanks. > > On Fri, 5 Dec 2003, David Mintz wrote: > > > On Fri, 5 Dec 2003, Chris Shiflett wrote: > > > > > I think the argument goes something like this: > > > > > > Each module should do one thing and do it well (ala Unix philosophy). For > > > example, on a Unix system, I can grep through the output of ps by doing > > > something likethis: > > > > > > ps | grep foo > > > > > > Both grep and foo are independent, but they can be combined. Code can wor k > > > in much the same way. If grep cannot be used without ps, or if ps cannot > > > be used without grep, this would be seen by many as a shortcoming. > > > > > > Hope that helps. I can elaborate, but that's the basic idea. > > > > I get it. Thanks. > > > > David > > > > _______________________________________________ > > talk mailing list > > talk at lists.nyphp.org > > http://lists.nyphp.org/mailman/listinfo/talk > > > > > --- > David Mintz > http://davidmintz.org/ > ATTN Everybody: dmintz at panix.com will be unplugged as of 01-Dec-2003! > Please use dmintz at davidmintz.org > > > "Anybody else got a problem with Webistics?" > > Sopranos 24:17 > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk From csnyder at chxo.com Fri Dec 5 12:51:43 2003 From: csnyder at chxo.com (Chris Snyder) Date: Fri, 05 Dec 2003 12:51:43 -0500 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <3FD0C274.5000309@att.net> References: <3FD0C1F6.7030802@chxo.com> <3FD0C274.5000309@att.net> Message-ID: <3FD0C5AF.2000107@chxo.com> John Lacey wrote: > Chris, can you elaborate on the Smarty performance a tad? > At the September meeting we ran Smarty through the Zend IDE's profiler, and compared the results with PHPLib. The results were striking -- it's not the most efficient approach. Daniel Kushner might have saved the actual numbers somewhere. It's a totally subjective measurement, of course. As David points out, efficiency becomes less of a concern with each hardware upgrade. And for a server that gets up to a few thousand hits an hour, no worries. There's part of me that says a request can take up to a second before I really care, but there's no way you can get away with that on a large site, or a big shared server. From jlacey at att.net Fri Dec 5 13:06:04 2003 From: jlacey at att.net (John Lacey) Date: Fri, 05 Dec 2003 11:06:04 -0700 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <3FD0C5AF.2000107@chxo.com> References: <3FD0C1F6.7030802@chxo.com> <3FD0C274.5000309@att.net> <3FD0C5AF.2000107@chxo.com> Message-ID: <3FD0C90C.7010305@att.net> Chris Snyder wrote: > At the September meeting we ran Smarty through the Zend IDE's profiler, > and compared the results with PHPLib. The results were striking -- it's > not the most efficient approach. Daniel Kushner might have saved the > actual numbers somewhere. > > It's a totally subjective measurement, of course. As David points out, > efficiency becomes less of a concern with each hardware upgrade. And for > a server that gets up to a few thousand hits an hour, no worries. > There's part of me that says a request can take up to a second before I > really care, but there's no way you can get away with that on a large > site, or a big shared server. thanks, I've exchanged a few msgs with a developer on a Sourceforge project I'm interested in, and suggested he either use Smarty or at least put the table and form handling logic in classes (it was in reference to an internationalization issue, since the code is not structured to handle it) he balked at the Smarty idea (performance) and your remarks caught my attention -- Daniel, are those numbers still around? From nyphp at websapp.com Fri Dec 5 13:10:58 2003 From: nyphp at websapp.com (Daniel Kushner) Date: Fri, 5 Dec 2003 13:10:58 -0500 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <3FD0C90C.7010305@att.net> Message-ID: > > he balked at the Smarty idea (performance) and your remarks > caught my attention -- > > Daniel, are those numbers still around? I haven't got them (I think). I'll re-profile the code and post in on the New York PHP website. --Daniel From jlacey at att.net Fri Dec 5 13:13:31 2003 From: jlacey at att.net (John Lacey) Date: Fri, 05 Dec 2003 11:13:31 -0700 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: References: Message-ID: <3FD0CACB.5080900@att.net> thanks -- and there is a prize for the first person who volunteers to change the Subject line on all these posts :) Daniel Kushner wrote: >>he balked at the Smarty idea (performance) and your remarks >>caught my attention -- >> >>Daniel, are those numbers still around? > > > I haven't got them (I think). I'll re-profile the code and post in on the > New York PHP website. > > --Daniel > > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > >From hans not junk at nyphp.com Fri Dec 5 13:18:17 2003 Return-Path: Received: from londo.swishmail.com (londo.swishmail.com [209.10.110.95]) by virtu.nyphp.org (Postfix) with ESMTP id EB2EEA8603 for ; Fri, 5 Dec 2003 13:18:17 -0500 (EST) Received: (qmail 19322 invoked by uid 89); 5 Dec 2003 18:18:17 -0000 Received: from unknown (HELO nyphp.com) (hans not junk at nyphp.com@128.122.155.151) by londo.swishmail.com with AES256-SHA encrypted SMTP; 5 Dec 2003 18:18:17 -0000 Message-ID: <3FD0CC2C.2080202 at nyphp.com> Date: Fri, 05 Dec 2003 13:19:24 -0500 From: Hans Zaunere User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: NYPHP Talk Subject: Re: [nycphp-talk] security? we don't need no stinkin security! References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: talk at lists.nyphp.org X-Mailman-Version: 2.1.2 Precedence: list Reply-To: NYPHP Talk List-Id: NYPHP Talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Dec 2003 18:18:18 -0000 David Mintz wrote: > > On second thought: > > Suppose -- just hypothetically -- I write a shell script that greps the ps > output for a user-specified string. I could say, here's my shell script > and you're welcome to use it, but it depends on ps and grep being > installed on your system. Is it not a good shell script? Should it have > its own ps and grep functionality built in, independently? I think it's key to cut a distinction between code reuse, modularity, and frameworks. PEAR is a framework. Just as in a house, if a load-bearing beam is removed, the structure will crumble. This is the typical architecture of a framework. However, imagine if you could build a house with no load-bearing beams. The house, and the functionality it provides, is a composite of many smaller beams - and if one is removed or changed, the structure and functionality withstands. Sure, each beam is dependent on it's peers to operate fully and deliver the ultimate functionality required, but it's not totally integrated - there might be plastic beams, wood beams, steel, etc. And, each beam can be reused to shape the total structure differently - this is a modular or component based architecture. In essence, it's not easy, nor would it make sense [1], to only use a piece of a framework - it's all or nothing - and the PEAR/CPAN model is akin to this. It is important to remember, however, that sometimes this is the correct model - take FreeBSD ports collection... :) While there is a great deal of dependency, it's a "closed" system - no one is using the ports system to develop an ecommerce site, then a login system and a mailing list. H [1] because of loads of overhead in code you're never using, security issues, and maintenance issues From adam at trachtenberg.com Fri Dec 5 14:34:07 2003 From: adam at trachtenberg.com (Adam Maccabee Trachtenberg) Date: Fri, 5 Dec 2003 14:34:07 -0500 (EST) Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <3FD0C5AF.2000107@chxo.com> References: <3FD0C1F6.7030802@chxo.com> <3FD0C274.5000309@att.net> <3FD0C5AF.2000107@chxo.com> Message-ID: On Fri, 5 Dec 2003, Chris Snyder wrote: > At the September meeting we ran Smarty through the Zend IDE's profiler, > and compared the results with PHPLib. The results were striking -- it's > not the most efficient approach. Daniel Kushner might have saved the > actual numbers somewhere. FWIW, from what I've heard, Smarty performance is significantly improved when you use apc, or some similar opcode caching product. -adam -- adam at trachtenberg.com author of o'reilly's php cookbook avoid the holiday rush, buy your copy today! From jonbaer at jonbaer.net Fri Dec 5 15:46:21 2003 From: jonbaer at jonbaer.net (jon baer) Date: Fri, 5 Dec 2003 15:46:21 -0500 Subject: [nycphp-talk] osCommerce (Gift Certificates + Shipping) Message-ID: <003a01c3bb70$d7b35010$6400a8c0@thinkpad> trying to figure something out w/ oscommerce ... i added a gift certificate module for my site and then added USPS web api for shipping calculation + figured to hack and edit the usps module to accept a weight of 0 lbs to just display $0 cost (for electronic goods) ... does this sound right? or could i have done this without editing the shipment module? - jon pgp key: http://www.jonbaer.net/jonbaer.asc fingerprint: F438 A47E C45E 8B27 F68C 1F9B 41DB DB8B 9A0C AF47 From geek at invisiblemute.com Fri Dec 5 15:58:02 2003 From: geek at invisiblemute.com (=?iso-8859-1?B?aW52aXNpYmxlbXV0ZQ==?=) Date: Fri, 05 Dec 2003 15:58:02 -0500 Subject: =?iso-8859-1?B?UmU6IFtueXBocC10YWxrXSBzZWN1cml0eT8gd2UgZG9uJ3QgbmVlZCBubyBzdGlua2luIHNlY3VyaXR5IQ==?= Message-ID: <20031205205802.24879.qmail@hosting33.com> -------Original Message------- > From: Tim Gales <tgales at tgaconnect.com> > Subject: RE: [nycphp-talk] security? we don't need no stinkin security! > Sent: 04 Dec 2003 21:22:51 > > felix zaslavskiy writes: > > What about vBulletin ? > > Its pretty good and does not cost that much. > > > Yes, vBulletin does looks pretty good. And I > think it was under consideration for NYPHP. Sorry if I missed the beginning of this conversation (just joined), but does phpBB have serious problems, limitations or security holes that I'm not aware of? i'm' -------------- next part -------------- An HTML attachment was scrubbed... URL: From shiflett at php.net Fri Dec 5 16:04:33 2003 From: shiflett at php.net (Chris Shiflett) Date: Fri, 5 Dec 2003 13:04:33 -0800 (PST) Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <20031205205802.24879.qmail@hosting33.com> Message-ID: <20031205210433.60705.qmail@web14310.mail.yahoo.com> --- invisiblemute wrote: > Sorry if I missed the beginning of this conversation (just joined), > but does phpBB have serious problems, limitations or security holes > that I'm not aware of? It's slow, the code is a mess, and it is a frequent visitor of Dan's Security Focus PHP vulnerability updates. It looks good, though. :-) Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ From sklar at sklar.com Fri Dec 5 16:26:35 2003 From: sklar at sklar.com (David Sklar) Date: Fri, 5 Dec 2003 16:26:35 -0500 Subject: [nycphp-talk] security? we don't need no stinkin security! In-Reply-To: <3FD0CC2C.2080202@nyphp.com> Message-ID: David Mintz wrote: > > Suppose -- just hypothetically -- I write a shell script that greps > the ps output for a user-specified string. I could say, here's my > shell script and you're welcome to use it, but it depends on ps and > grep being installed on your system. Is it not a good shell script? > Should it have its own ps and grep functionality built in, > independently? Aside from the suggestions others made about being able to drop in new versions of ps and grep for flexibility, I'll point out that ps, grep, and whatever shell your script is written for *do* have dependencies, e.g. libc. They don't each include their own I/O routines, signal handling, memory management, etc. I think part of the difficulty with this discussion w/r/t PHP is the fuzzy line the core PHP distribution provides between traditional language features and added functionality (i.e. there is setcookie() so you don't have to make your own cookie headers with header(), but you can't write new cookies to $_COOKIE like you can create new session variables by writing to $_SESSION; or even the fact that there is a bundledd session module) and the competing standards for add-on frameworks that handle a set (itself fuzzily defined) of "standard" web programming tasks like form handling, error management, templating, and so on. Which flows nicely into what Hans wrote: > I think it's key to cut a distinction between code reuse, modularity, > and frameworks. > > PEAR is a framework. Just as in a house, if a load-bearing beam > is removed, the structure will crumble. This is the typical > architecture of a framework. PHP doesn't provide everything you need for a web framework (IMHO there are good arguments for and against this) so there are various possible frameworks out there. For most projects, I think that the benefit of choosing something widely known and good enough far outweighs the potential speed or customization benefits from writing your own. David From enunez at tiaa-cref.org Fri Dec 5 17:36:36 2003 From: enunez at tiaa-cref.org (Nunez, Eddy) Date: Fri, 5 Dec 2003 15:36:36 -0700 Subject: [nycphp-talk] array of object being passed by reference proble m Message-ID: <7CE0EC1FC2D0D411910700508BE38D0F0A6D9DC3@msxnyusr01.msx.ops.tiaa-cref.org> Jeff buddy!! Remember me? :) "foreach" isn't object friendly... It's giving you copies to modify!! Here is a work around for what you want to achieve.. Change line: $o->setVar("aa".$pos); To: $objs[$pos]->setVar("aa".$pos); This will yield the results you want. I tried it, works like a champ. Remember: modification of array elements via indices is your php4 friend especially when dealing with objects! :) Eddy Nu?ez Tel: 718-614-7033 -----Original Message----- From: Jeff Barrett [mailto:jeffb at uniquephoto.com] Sent: Friday, December 05, 2003 10:36 AM To: talk at lists.nyphp.org Subject: [nycphp-talk] array of object being passed by reference problem I have the following test script: setVar($i); $this->objs[] = $o; } } function setVar( $id ) { $this->junk = $id; print "set ".$this->junk."
"; } function getObjs() { return $this->objs; } function printall() { foreach($this->objs as $pos => $o ) { print "print ".$o->junk."
"; } } } $obj = new testObj(); $obj->populate(); $objs = &$obj->getObjs(); print "
"; foreach($objs as $pos => $o ) { print $o->junk."
"; } foreach( $objs as $pos => $o ) { $o->setVar("aa".$pos); print "
"; } foreach( $objs as $pos => $o ) { print $o->junk."
"; } $obj->printall(); ?> Which is putting out the following to the screen: set 0 set 1 set 2 set 3 set 4 0 1 2 3 4 set aa0 set aa1 set aa2 set aa3 set aa4 0 1 2 3 4 print 0 print 1 print 2 print 3 print 4 The problem, after the set aa0...aa4 lines I should not be seeing 0...4 and print 0...print 1. I should be seeing aa0...aa4 and print aa0...print aa4. The problem seems to lie in how I am passing the array of objects to the calling program and then having those changes be a part of the object, seems like I am just changing a copy of the object since the changes are not sticking. Any help with this would be greatly appreciated. Thanks, Jeff Barrett Email: jeffb at uniquephoto.com IM: jeffreyabarrett Phone: 973-377-5555 ext 205 _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk ************************************************************** This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, please contact sender immediately by reply e-mail and destroy all copies. You are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. TIAA-CREF ************************************************************** From geek at invisiblemute.com Fri Dec 5 19:19:35 2003 From: geek at invisiblemute.com (=?iso-8859-1?B?aW52aXNpYmxlbXV0ZQ==?=) Date: Fri, 05 Dec 2003 19:19:35 -0500 Subject: [nycphp-talk] PHP bulletin board, a new order, suggestions? Message-ID: <20031206001935.13064.qmail@hosting33.com> > From: Chris Shiflett <shiflett at php.net> > --- invisiblemute wrote: > > Sorry if I missed the beginning of this conversation (just joined), > > but does phpBB have serious problems, limitations or security holes > > that I'm not aware of? > > It's slow, the code is a mess, and it is a frequent visitor of Dan's > Security Focus PHP vulnerability updates. > > It looks good, though. :-) > Chris Crap! After hunting high and low that's what I went with for a recent project. I agree, it does look really nice and skins very easily. I'm surprised I haven't seen a product that functions like YahooGroups. Bulletin boards are nice but I think it's a fabulous idea to mesh with listserv like behavior. Has anyone come across something like this? Or better yet is there a solution that would seemlessly integrate with a product like EZMLM (I know I'm hoping for a lot here). Thanks. i'm' -------------- next part -------------- An HTML attachment was scrubbed... URL: From jonbaer at jonbaer.net Fri Dec 5 21:26:18 2003 From: jonbaer at jonbaer.net (jon baer) Date: Fri, 5 Dec 2003 21:26:18 -0500 Subject: [nycphp-talk] PHP bulletin board, a new order, suggestions? References: <20031206001935.13064.qmail@hosting33.com> Message-ID: <006701c3bba0$5a6c14e0$6400a8c0@thinkpad> Well ... Ive recently modded phpBB (which despite the contrary) to accept "forum subscriptions" which takes the place of a mailing list. Ive notice that *no* board does this which I found suprising. Basically on the profile Ive added subscriptions: [ ] Forum Name In which its more or less like "Notify me of replies in this forum/category" (vs. thread) ... then in the email have a reply link back to the board ... The other pretty neat feature is using the bad words regex replacements to cross link into your FAQ or a glossary for defining words. (or anything to help newbies without getting more intermediate/advance users frustrated in broad topics/forums) ... I find all php boards code crap - but either one once you have a know of what each part does u can really just run + go with it ... the security mess is all over the place i think, its not something that just pertains to that app ... - jon ----- Original Message ----- From: invisiblemute To: shiflett at php.net ; NYPHP Talk Sent: Friday, December 05, 2003 7:19 PM Subject: [nycphp-talk] PHP bulletin board, a new order, suggestions? > From: Chris Shiflett > --- invisiblemute wrote: > > Sorry if I missed the beginning of this conversation (just joined), > > but does phpBB have serious problems, limitations or security holes > > that I'm not aware of? > > It's slow, the code is a mess, and it is a frequent visitor of Dan's > Security Focus PHP vulnerability updates. > > It looks good, though. :-) > Chris Crap! After hunting high and low that's what I went with for a recent project. I agree, it does look really nice and skins very easily. I'm surprised I haven't seen a product that functions like YahooGroups. Bulletin boards are nice but I think it 's a fabulous idea to mesh with listserv like behavior. Has anyone come across something like this? Or better yet is there a solution that would seemlessly integrate with a product like EZMLM (I know I'm hoping for a lot here). Thanks. i'm' ------------------------------------------------------------------------------ _______________________________________________ talk mailing list talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk -------------- next part -------------- An HTML attachment was scrubbed... URL: From geek at invisiblemute.com Sat Dec 6 01:26:33 2003 From: geek at invisiblemute.com (=?iso-8859-1?B?aW52aXNpYmxlbXV0ZQ==?=) Date: Sat, 06 Dec 2003 01:26:33 -0500 Subject: [nycphp-talk] OT: Free HD to a good home (Ultra SCSI-3) Message-ID: <20031206062633.2885.qmail@hosting33.com> Was given a HD but haven't been able to use it. Can't bring myself to just toss it so please give a shout. Would be happy to meet up with anyone in person to give away for free, preferably around 32nd, 14th, or 110th near Mt. Sinai. It has a weird connection with what I am guessing the power contacts on either side of the SCSI connection instead of a Molex (?) connector like most drives. So I'm guessing this drive came out of a portable unit and would need such a housing. - - - Quantum Atlas II Atlas II 3.5-inch, 7200 RPM hard disk drives are top-performing devices that meet the needs of high-end storage subsystems, video servers, and workstations. The drives offer high capacity and feature the most advanced technology for exceptional performance and higher areal density. Atlas II drives have the industry's fastest seek time for a 9.1 gigabyte (GB) drive at 8 (milliseconds) ms. The drives are offered with an Ultra SCSI-3 interface. Storage Capacity: 4.5 GB Average Seek Time: as low as 8.0 ms Rotational Speed: 7200 RPM Interface Options: Ultra SCSI-3 - - - Disclaimer: This wasn't my drive and I've never used it or tested it. I make no guarentees on whether or not this thing works. I only pray that there isn't some weird crap on there like twisted porn or illegal junk. Please promise me that the first thing you'll do is format it. It could be infected for all I know. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jlacey at att.net Sat Dec 6 16:37:43 2003 From: jlacey at att.net (John Lacey) Date: Sat, 06 Dec 2003 14:37:43 -0700 Subject: [nycphp-talk] sqlite utility and reloading a dump Message-ID: <3FD24C27.2070205@att.net> Hello all, I understand there are a couple people working on PHP5 on the list, so I'll begin here. In the process of converting a PHP application that uses MySQL to use SQLite, I naturally started with converting the schema into something that SQLite understood, e.g. INTEGER PRIMARY KEY for auto_increment and so forth. The file I am working with was created by phpMyAdmin which of course escapes single quotes within single-quoted strings with \' In firing up the sqlite.exe utility on a W2KPro box, I was getting "unrecognized token" errors. SQLite lets you read in a file with the command ".read FILENAME", once sqlite is invoked. I traced the error detection to the tokenizer.c file where an illegal token flag was being set when checking the \' sequence with a case statement of case '\'': I then went and downloaded sqlite version 2.8.7 -- just releases -- same indication. After going back and forth several times with SQLite's author, D. Richard Hipp, who was very responsive, he allowed that I could submit an enhancement to have a PRAGMA which turn on backslash escapes. My question is: hasn't this behavior come up before in light of the fact that SQLite is being included in PHP5? thanks, John From danielc at analysisandsolutions.com Sat Dec 6 17:24:33 2003 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Sat, 6 Dec 2003 17:24:33 -0500 Subject: [nycphp-talk] sqlite utility and reloading a dump In-Reply-To: <3FD24C27.2070205@att.net> References: <3FD24C27.2070205@att.net> Message-ID: <20031206222433.GA18650@panix.com> Hi John: On Sat, Dec 06, 2003 at 02:37:43PM -0700, John Lacey wrote: > > My question is: hasn't this behavior come up before in light > of the fact that SQLite is being included in PHP5? When escaping "'" without the use of an ESCAPE clause, most DBMS's, and perhaps the SQL-99 standard itself, use "''" MySQL kind of made up it's own thing by doing "\'" Do note, you can also use "''" in MySQL (at least in version 4.0, maybe in 3.2x too). The drag is mysqldump puts "\'" in there. That should be classified as a bug. --Dan -- FREE scripts that make web and database programming easier http://www.analysisandsolutions.com/software/ T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7th Ave #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 From jlacey at att.net Sat Dec 6 17:28:44 2003 From: jlacey at att.net (John Lacey) Date: Sat, 06 Dec 2003 15:28:44 -0700 Subject: [nycphp-talk] sqlite utility and reloading a dump In-Reply-To: <20031206222433.GA18650@panix.com> References: <3FD24C27.2070205@att.net> <20031206222433.GA18650@panix.com> Message-ID: <3FD2581C.7070308@att.net> Daniel Convissor wrote: > > When escaping "'" without the use of an ESCAPE clause, most DBMS's, and > perhaps the SQL-99 standard itself, use "''" > > MySQL kind of made up it's own thing by doing "\'" Do note, you can also > use "''" in MySQL (at least in version 4.0, maybe in 3.2x too). > yeah, I pointed out the "''" method of escaping to the SQLite author (Hipp), and mentioned that the \' is used too > The drag is mysqldump puts "\'" in there. That should be classified as a > bug. > well, D. Richard Hipp is correct in pointing that out, but wanted to get a workaround before something hits the fan J From adam at trachtenberg.com Sat Dec 6 17:32:02 2003 From: adam at trachtenberg.com (Adam Maccabee Trachtenberg) Date: Sat, 6 Dec 2003 17:32:02 -0500 (EST) Subject: [nycphp-talk] sqlite utility and reloading a dump In-Reply-To: <3FD2581C.7070308@att.net> References: <3FD24C27.2070205@att.net> <20031206222433.GA18650@panix.com> <3FD2581C.7070308@att.net> Message-ID: On Sat, 6 Dec 2003, John Lacey wrote: > well, D. Richard Hipp is correct in pointing that out, but > wanted to get a workaround before something hits the fan Have you tried running mysqldump with the --fields-escaped-by parameter? Maybe you can make MySQL ouput '' instead of \'. Note: I have no idea if this command actually does this, I was just browsing the manual. http://www.mysql.com/doc/en/mysqldump.html -adam -- adam at trachtenberg.com author of o'reilly's php cookbook avoid the holiday rush, buy your copy today! From joshmccormack at travelersdiary.com Sat Dec 6 17:32:07 2003 From: joshmccormack at travelersdiary.com (Josh McCormack) Date: Sat, 06 Dec 2003 17:32:07 -0500 Subject: [nycphp-talk] PHP bulletin board, a new order, suggestions? In-Reply-To: <20031206001935.13064.qmail@hosting33.com> References: <20031206001935.13064.qmail@hosting33.com> Message-ID: <3FD258E7.4020705@travelersdiary.com> fudforum has a very interesting mailing list/newsgroup integration thing. Also, what about having a mailing list like Mailman, with some nice archiving programs running (mhonarc, etc), and have a web-to-mail script to allow browsers to participate. I know there can be security issues with allowing people to send mail through web pages, but could be done. Josh invisiblemute wrote: > > From: Chris Shiflett > > --- invisiblemute wrote: > > > Sorry if I missed the beginning of this conversation (just joined), > > > but does phpBB have serious problems, limitations or security holes > > > that I'm not aware of? > > > > It's slow, the code is a mess, and it is a frequent visitor of Dan's > > Security Focus PHP vulnerability updates. > > > > It looks good, though. :-) > > Chris > > Crap! After hunting high and low that's what I went with for a recent > project. I agree, it does look really nice and skins very easily. > > I'm surprised I haven't seen a product that functions like YahooGroups. > Bulletin boards are nice but I think it 's a fabulous idea to mesh with > listserv like behavior. Has anyone come across something like this? Or > better yet is there a solution that would seemlessly integrate with a > product like EZMLM (I know I'm hoping for a lot here). Thanks. > > i'm' > > > ------------------------------------------------------------------------ > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk From jlacey at att.net Sat Dec 6 18:06:06 2003 From: jlacey at att.net (John Lacey) Date: Sat, 06 Dec 2003 16:06:06 -0700 Subject: [nycphp-talk] sqlite utility and reloading a dump In-Reply-To: References: <3FD24C27.2070205@att.net> <20031206222433.GA18650@panix.com> <3FD2581C.7070308@att.net> Message-ID: <3FD260DE.8020303@att.net> Adam Maccabee Trachtenberg wrote: > > Have you tried running mysqldump with the --fields-escaped-by > parameter? Maybe you can make MySQL ouput '' instead of \'. > > Note: I have no idea if this command actually does this, I was just > browsing the manual. > > http://www.mysql.com/doc/en/mysqldump.html in this case, I'm working with a file that comes packaged with an application -- in one of my emails to Mr. Hipp, I included a link to the php manual addslashes() function with the info about magic quotes, etc, etc. From danielc at analysisandsolutions.com Sat Dec 6 18:15:21 2003 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Sat, 6 Dec 2003 18:15:21 -0500 Subject: [nycphp-talk] sqlite utility and reloading a dump In-Reply-To: References: <3FD24C27.2070205@att.net> <20031206222433.GA18650@panix.com> <3FD2581C.7070308@att.net> Message-ID: <20031206231521.GA21390@panix.com> On Sat, Dec 06, 2003 at 05:32:02PM -0500, Adam Maccabee Trachtenberg wrote: > > Have you tried running mysqldump with the --fields-escaped-by > parameter? Maybe you can make MySQL ouput '' instead of \'. I think that's for what fields are enclosed in, such as the double quotes in the following "field1", "field2" --Dan -- FREE scripts that make web and database programming easier http://www.analysisandsolutions.com/software/ T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7th Ave #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 From adam at trachtenberg.com Sat Dec 6 18:29:38 2003 From: adam at trachtenberg.com (Adam Maccabee Trachtenberg) Date: Sat, 6 Dec 2003 18:29:38 -0500 (EST) Subject: [nycphp-talk] sqlite utility and reloading a dump In-Reply-To: <20031206231521.GA21390@panix.com> References: <3FD24C27.2070205@att.net> <20031206222433.GA18650@panix.com> <3FD2581C.7070308@att.net> <20031206231521.GA21390@panix.com> Message-ID: On Sat, 6 Dec 2003, Daniel Convissor wrote: > On Sat, Dec 06, 2003 at 05:32:02PM -0500, Adam Maccabee Trachtenberg wrote: > > > > Have you tried running mysqldump with the --fields-escaped-by > > parameter? Maybe you can make MySQL ouput '' instead of \'. > > I think that's for what fields are enclosed in, such as the double quotes > in the following > "field1", "field2" Probably. -adam -- adam at trachtenberg.com author of o'reilly's php cookbook avoid the holiday rush, buy your copy today! From tech_learner at yahoo.com Sun Dec 7 23:09:50 2003 From: tech_learner at yahoo.com (Tech_learner) Date: Sun, 7 Dec 2003 20:09:50 -0800 (PST) Subject: [nycphp-talk] Fwd: [PHP Classes] Released new book review: Building Custom PHP Extensions Message-ID: <20031208040950.99015.qmail@web14311.mail.yahoo.com> PHP Classes wrote:To: tech_learner at yahoo.com Subject: [PHP Classes] Released new book review: Building Custom PHP Extensions Date: 8 Dec 2003 02:30:35 -0000 From: PHP Classes Released new book review: Building Custom PHP Extensions --------------------------------- --------------------------------- You are getting this message because you voluntarily subscribed to the PHP Classes site. To change your newsletter or alert messages delivery options, see the instructions at the bottom of this message. --------------------------------- Title Building Custom PHP Extensions Author Blake Schwendiman Publisher Lulu Press Sales ranking Week:9All time:109 --------------------------------- ReviewerManuel LemosRead this review --------------------------------- PHP Classes site tip of the dayLatest security vulnerabilities by e-mailKnow about the latest security vulnerabilities before the hackers compromise your site. Read about other interesting tips --------------------------------- If you are not interested in receiving any more messages like this one, or want to switch the message format between text and HTML, go to the user options page and change the respective delivery options. --------------------------------- For more information send a message to info at phpclasses.org.Copyright (c) 1999-2003 PHP Classes --------------------------------- Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeffb at uniquephoto.com Mon Dec 8 09:58:40 2003 From: jeffb at uniquephoto.com (Jeff Barrett) Date: Mon, 8 Dec 2003 09:58:40 -0500 Subject: [nycphp-talk] array of object being passed by reference problem In-Reply-To: <7CE0EC1FC2D0D411910700508BE38D0F0A6D9DC3@msxnyusr01.msx.ops.tiaa-cref.org> Message-ID: Eddy, Definitely remember you! I found that out the hard way and my boss found a very interesting aspect that I had never used and only seen once or twice in C type code. function & method1() { return $this->arrayOfPointers; } Notice the & before the method1, that does some nice magic. Makes the function return pointers, not so sure how it makes that determination yet. Trying return & $this->arrayOfPointers; gives a syntax error. I am also curious to find out what the difference is when you preceded the constructor with the &, does it have global effects? Those more detailed questions will have to wait until I get this project done. Thanks for the help Eddy. Jeff > Jeff buddy!! Remember me? :) > > "foreach" isn't object friendly... It's giving you copies to modify!! > Here is a work around for what you want to achieve.. > > Change line: $o->setVar("aa".$pos); > > To: $objs[$pos]->setVar("aa".$pos); > > This will yield the results you want. I tried it, works like a champ. > Remember: modification of array elements via indices is your php4 friend > especially when dealing with objects! :) > > Eddy Nu?ez > Tel: 718-614-7033 > > From tgales at tgaconnect.com Mon Dec 8 10:38:33 2003 From: tgales at tgaconnect.com (Tim Gales) Date: Mon, 8 Dec 2003 10:38:33 -0500 Subject: [nycphp-talk] Connection to MySQL 4.1.X with php 5.0b2 running windows xp Message-ID: <000201c3bda1$56fa1480$bf8d3818@oberon1> Has anybody loaded the php_mysql extension under windows? I wanted to test/experiment with something using a php client connection to MySQL 4.1.0 (alpha). I am using a precompiled php 5.0b2 dated 30-Oct-2003. If I check the dependencies of the php_mysql.dll it seems like in the php4ts.dll library '_zend_hash_add_or_update' and 'OnUpdateLong' are both unresolved. As a footnote both the php4ts.dll and the php_mysl.dll are the ones which came with the precompiled php (in a zip file) Any ideas/comments would be appreciated. T. Gales & Associates 'Helping People Connect with Technology' http://www.tgaconnect.com From danielc at analysisandsolutions.com Mon Dec 8 11:28:49 2003 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Mon, 8 Dec 2003 11:28:49 -0500 Subject: [nycphp-talk] array of object being passed by reference problem In-Reply-To: References: <7CE0EC1FC2D0D411910700508BE38D0F0A6D9DC3@msxnyusr01.msx.ops.tiaa-cref.org> Message-ID: <20031208162849.GA14268@panix.com> Hi Jeff: On Mon, Dec 08, 2003 at 09:58:40AM -0500, Jeff Barrett wrote: > > function & method1() > { > return $this->arrayOfPointers; > } > > Notice the & before the method1, that does some nice magic. Makes the > function return pointers, Do note a few things. They're called "references," which are kind of like pointers, but aren't true pointers. Establishing a function like that is termed "returning by reference." Only return variables from such methods. Most people use the style with the & is next to the function name: "function &method()" Finally, the reference isn't created unless the call to the function says it should via the =&: $foo =& method1(); --Dan -- FREE scripts that make web and database programming easier http://www.analysisandsolutions.com/software/ T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7th Ave #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 From jlacey at att.net Mon Dec 8 11:43:27 2003 From: jlacey at att.net (John Lacey) Date: Mon, 08 Dec 2003 09:43:27 -0700 Subject: [nycphp-talk] sqlite update Message-ID: <3FD4AA2F.2080507@att.net> FYI, Since the scheme to fix the MySQL \' issue with a PRAGMA (PRAGMA backslash_escapes=ON;) will be off by default, I sent a msg to Marc Delisle -- phpMyAdmin developer. He said he'd add a feature to support two single quote exports. so, the SQLite utility will be covered by an option to honor one of the MySQL escape methods (\') and the phpMyAdmin app. will be able to optionally use two single quotes when exporting John >From hans not junk at nyphp.com Mon Dec 8 15:07:10 2003 Return-Path: Received: from londo.swishmail.com (londo.swishmail.com [209.10.110.95]) by virtu.nyphp.org (Postfix) with ESMTP id 5C645A85F7 for ; Mon, 8 Dec 2003 15:07:10 -0500 (EST) Received: (qmail 20741 invoked by uid 89); 8 Dec 2003 20:07:10 -0000 Received: from unknown (HELO nyphp.com) (hans not junk at nyphp.com@66.65.174.214) by londo.swishmail.com with AES256-SHA encrypted SMTP; 8 Dec 2003 20:07:10 -0000 Message-ID: <3FD4D9EA.20707 at nyphp.com> Date: Mon, 08 Dec 2003 15:07:06 -0500 From: Hans Zaunere User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: tgales at tgaconnect.com, NYPHP Talk Subject: Re: [nycphp-talk] Connection to MySQL 4.1.X with php 5.0b2 running windows xp References: <000201c3bda1$56fa1480$bf8d3818 at oberon1> In-Reply-To: <000201c3bda1$56fa1480$bf8d3818 at oberon1> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: X-BeenThere: talk at lists.nyphp.org X-Mailman-Version: 2.1.2 Precedence: list Reply-To: NYPHP Talk List-Id: NYPHP Talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 20:07:10 -0000 Tim Gales wrote: > Has anybody loaded the php_mysql extension under windows? > I wanted to test/experiment with something using a php client > connection to MySQL 4.1.0 (alpha). > > I am using a precompiled php 5.0b2 > dated 30-Oct-2003. > > If I check the dependencies of the php_mysql.dll > it seems like in the php4ts.dll library > '_zend_hash_add_or_update' and 'OnUpdateLong' > are both unresolved. I'm not too familiar with the Windows precompiled binaries (although I've had PHP4 and MySQL humming along under WinXP) but if you're using a PHP 5 beta, why is it php4ts.dll? Might be something to check out, and/or go to http://snaps.php.net and get the latest and greatest. H From danielc at analysisandsolutions.com Mon Dec 8 15:13:51 2003 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Mon, 8 Dec 2003 15:13:51 -0500 Subject: [nycphp-talk] Connection to MySQL 4.1.X with php 5.0b2 running windows xp In-Reply-To: <3FD4D9EA.20707@nyphp.com> References: <000201c3bda1$56fa1480$bf8d3818@oberon1> <3FD4D9EA.20707@nyphp.com> Message-ID: <20031208201351.GB7170@panix.com> Folks: On Mon, Dec 08, 2003 at 03:07:06PM -0500, Hans Zaunere wrote: > > I'm not too familiar with the Windows precompiled binaries (although I've > had PHP4 and MySQL humming along under WinXP) but if you're using a PHP 5 > beta, why is it php4ts.dll? Might be something to check out Very observant Hans. Those names are correct for now. This DLL naming matter has been brought up to the developers, but there has been no indication as to whether or not this will change. I hope it does get modified because it would make it possible to easily run PHP 4 and PHP 5 on the same machine. Later, --Dan -- FREE scripts that make web and database programming easier http://www.analysisandsolutions.com/software/ T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7th Ave #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 From danielc at analysisandsolutions.com Mon Dec 8 18:01:30 2003 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Mon, 8 Dec 2003 18:01:30 -0500 Subject: [nycphp-talk] SecurityFocus Newsletter #226 Message-ID: <20031208230130.GA21476@panix.com> PieterPost Unauthorized E-mail Account Access Vulnerability http://www.securityfocus.com/bid/9128 CuteNews Debug Query Information Disclosure Weakness http://www.securityfocus.com/bid/9130 -- FREE scripts that make web and database programming easier http://www.analysisandsolutions.com/software/ T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7th Ave #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 From danporcher at earthlink.net Mon Dec 8 17:43:34 2003 From: danporcher at earthlink.net (Daniel Porcher) Date: Mon, 8 Dec 2003 17:43:34 -0500 Subject: [nycphp-talk] Date problems running PHP on IRIX In-Reply-To: <3FD4D9EA.20707@nyphp.com> Message-ID: I thought the 1969 date limitiation was just a Windows issue, but I have just run into the same problem on a client's web site hosted by Rapidsite. Rapidsite is hosting a PHP CGI implementation on Apache on IRIX on a SGI server. Here's the test code: echo formatdate("1970-01-30"); echo "
"; echo formatdate("1969-01-30"); echo "
"; echo formatdate("1959-01-30"); echo "
"; function formatdate($szdate) { if (isset($szdate) && ($szdate != "0000-00-00")) { $date = strtotime($szdate); $arrdate = getdate($date); $rtn = checkdate($arrdate['mon'], $arrdate['mday'] , $arrdate['year']); if($rtn) { return ($arrdate['mon'] . "/" . $arrdate['mday'] . "/" . $arrdate['year']); }else{ return $szdate; } } return ""; } The results I get on Rapidsite is: 1/30/1970 12/31/1969 12/31/1969 I ran the same code on another host and got the correct results 1/30/1970 1/30/1969 1/30/1959 Has anybody seen this problem before? Is there a work around? Thanks, Dan Daniel Porcher President Watershed Web Design Phone: (609) 466-0266 Fax: (609) 466-2701 From jsiegel1 at optonline.net Tue Dec 9 06:31:54 2003 From: jsiegel1 at optonline.net (Jeff Siegel) Date: Tue, 09 Dec 2003 06:31:54 -0500 Subject: [nycphp-talk] NYPHP Holiday Party RSVP Deadline Message-ID: <3FD5B2AA.8070501@optonline.net> The RSVP *deadline* for the NYPHP party is Sunday, Dec. 14th. If you haven't yet RSVP'ed, please do so now. Details are below. Jeff Siegel ================================== Join New York PHP for some Holiday cheer! The NYPHP Holiday Party will be on December 16th at 6:30pm at the Hard Rock Cafe, 221 West 57th Street, New York. The cost is $20.00 per person to be paid at the door which includes selection from the menu below. You must contact us in advance if you'll be attending. RSVP to party at nyphp.org All are welcome! When: December 16th at 6:30pm Where: Hard Rock Cafe, 221 West 57th Street, New York The Party Menu Choice of Entrees: HRC Country Char-Broiled Burger with Cheese and/or Bacon HRC Natural Veggie Burger Grilled Chicken Breast Sandwich HRC Caesar Salad Pig Sandwich Dessert: Homestyle Chocolate Cake Choice of Beverage: Coffee, Tea or Soft Drink >From hans not junk at nyphp.com Tue Dec 9 10:53:38 2003 Return-Path: Received: from londo.swishmail.com (londo.swishmail.com [209.10.110.95]) by virtu.nyphp.org (Postfix) with ESMTP id 90A7FA85E6 for ; Tue, 9 Dec 2003 10:53:38 -0500 (EST) Received: (qmail 32928 invoked by uid 89); 9 Dec 2003 15:53:38 -0000 Received: from unknown (HELO nyphp.com) (hans not junk at nyphp.com@128.122.155.151) by londo.swishmail.com with AES256-SHA encrypted SMTP; 9 Dec 2003 15:53:38 -0000 Message-ID: <3FD5F03F.6010402 at nyphp.com> Date: Tue, 09 Dec 2003 10:54:39 -0500 From: Hans Zaunere User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: NYPHP Talk Subject: Re: [nycphp-talk] Date problems running PHP on IRIX References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: talk at lists.nyphp.org X-Mailman-Version: 2.1.2 Precedence: list Reply-To: NYPHP Talk List-Id: NYPHP Talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: ,