From james at 2-bit-toys.com  Thu Sep  1 03:06:39 2005
From: james at 2-bit-toys.com (James Tu)
Date: Thu, 01 Sep 2005 00:06:39 -0700
Subject: [nycphp-talk] php and deletion of Windows directories
Message-ID: <6.2.0.14.0.20050831235613.03218350@www.2-bit-toys.com>

I have a php script and it can delete a directory and it's children files 
without any problems on a OS X machine.

However, on a Windows machine I can only delete the files in the directory 
but not the directory itself.  I've been playing around with the 
permissions of the directory and the parent of the directory but I can't 
seem to find the right settings.  What is the user that PHP runs under in 
Windows?


James Tu
james at 2-bit-toys.com 


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.18/86 - Release Date: 8/31/2005




From phil at bearingasset.com  Thu Sep  1 05:32:46 2005
From: phil at bearingasset.com (Phil Duffy)
Date: Thu, 1 Sep 2005 05:32:46 -0400
Subject: [nycphp-talk] Partial Name Lookup Function in PEAR
In-Reply-To: <8C77CAA3E05A480-94C-297D@MBLK-M28.sysops.aol.com>
Message-ID: <20050901093248.8A213A8771@virtu.nyphp.org>

Lee,

 

Thanks for the clue.  That will get me started.

 

Phil

 

  _____  

From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of leeeyerman at aol.com
Sent: Wednesday, August 31, 2005 8:19 PM
To: talk at lists.nyphp.org
Subject: Re: [nycphp-talk] Partial Name Lookup Function in PEAR

 

 I do not know about PEAR but if you are just trying to look up a first or
last name (or anything other name/text) using only a partial piece of
information the LIKE command is best.

 

SELECT "column" FROM "table" WHERE "column_name" LIKE [PATTERN] 

 

ie.

 

SELECT * FROM pics WHERE pic_name LIKE '%ANG%'

 

This would return all pic_name where ANG is contained in the string.

 

http://www.1keydata.com/sql/sqllike.html

http://www.techonthenet.com/sql/like.php 

 

 

 
-----Original Message-----
From: Phil Duffy <phil at bearingasset.com>
To: 'NYPHP Talk' <talk at lists.nyphp.org>
Sent: Wed, 31 Aug 2005 21:05:48 -0400
Subject: [nycphp-talk] Partial Name Lookup Function in PEAR

Does PEAR offer a partial name lookup function?  What is the best way to do
a partial name lookup in a database-independent manner?  If I must drop back
to hard-coded MySQL calls, is the LOCATE() function the appropriate one to
use in this situation?

Any responses will be appreciated, including advice to direct these
questions to another list.

Phil Duffy

_______________________________________________

New York PHP Talk Mailing List

AMP Technology

Supporting Apache, MySQL and PHP

http://lists.nyphp.org/mailman/listinfo/talk

http://www.nyphp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050901/b846789b/attachment.html>

From cliff at pinestream.com  Thu Sep  1 09:25:59 2005
From: cliff at pinestream.com (Cliff Hirsch)
Date: Thu, 1 Sep 2005 09:25:59 -0400
Subject: [nycphp-talk] Need help randomly accessing records from a database
In-Reply-To: <6.2.0.14.0.20050831235613.03218350@www.2-bit-toys.com>
Message-ID: <002801c5aef8$b1817160$11a8a8c0@cliff>

I need to randomly access records from a database and have come up with
the following solution:

1. Find max primary key id
2. Generate random # between 0 & max
3. Get record

This solution implies that the primary key value is 0...Max,
sequentially without "holes".

But what it I delete records or want to "mask out" certain records? If I
delete records, it's seems like the only method would be to reindex the
database. And to mask, I'm lost other than using a 2nd database
containing just the desired records with a join to the first.

Any ideas?

Cliff Hirsch
_______________________________
Pinestream Communications, Inc.
Publisher of Semiconductor Times & Telecom Trends
52 Pine Street, Weston, MA 02493 USA
Tel: 781.647.8800, Fax: 781.647.8825
http://www.pinestream.com



From dcech at phpwerx.net  Thu Sep  1 09:35:51 2005
From: dcech at phpwerx.net (Dan Cech)
Date: Thu, 01 Sep 2005 09:35:51 -0400
Subject: [nycphp-talk] Need help randomly accessing records from a
	database
In-Reply-To: <002801c5aef8$b1817160$11a8a8c0@cliff>
References: <002801c5aef8$b1817160$11a8a8c0@cliff>
Message-ID: <431703B7.4030102@phpwerx.net>

Try this:

SELECT *
FROM `sometable`
ORDER BY RAND()
LIMIT 1

Dan

Cliff Hirsch wrote:
> I need to randomly access records from a database and have come up with
> the following solution:
> 
> 1. Find max primary key id
> 2. Generate random # between 0 & max
> 3. Get record
> 
> This solution implies that the primary key value is 0...Max,
> sequentially without "holes".
> 
> But what it I delete records or want to "mask out" certain records? If I
> delete records, it's seems like the only method would be to reindex the
> database. And to mask, I'm lost other than using a 2nd database
> containing just the desired records with a join to the first.
> 
> Any ideas?
> 
> Cliff Hirsch


From jellicle at gmail.com  Thu Sep  1 09:37:36 2005
From: jellicle at gmail.com (Michael Sims)
Date: Thu, 1 Sep 2005 09:37:36 -0400
Subject: [nycphp-talk] Need help randomly accessing records from a
	database
In-Reply-To: <002801c5aef8$b1817160$11a8a8c0@cliff>
References: <002801c5aef8$b1817160$11a8a8c0@cliff>
Message-ID: <200509010937.37350.jellicle@gmail.com>

On Thursday 01 September 2005 09:25, Cliff Hirsch wrote:

> I need to randomly access records from a database and have come up with
> the following solution:

> Any ideas?

SELECT field1, field2, rand() AS myrand FROM table ORDER BY myrand LIMIT 1;

It's a common problem.  With a solution that's easy, once you know it.  :)

Michael Sims


From cliff at pinestream.com  Thu Sep  1 09:41:57 2005
From: cliff at pinestream.com (Cliff Hirsch)
Date: Thu, 1 Sep 2005 09:41:57 -0400
Subject: [nycphp-talk] Need help randomly accessing records from adatabase
In-Reply-To: <200509010937.37350.jellicle@gmail.com>
Message-ID: <003001c5aefa$edc69a40$11a8a8c0@cliff>

Awesome! I knew there had to be something out there!

-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of Michael Sims
Sent: Thursday, September 01, 2005 9:38 AM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Need help randomly accessing records from
adatabase


On Thursday 01 September 2005 09:25, Cliff Hirsch wrote:

> I need to randomly access records from a database and have come up 
> with the following solution:

> Any ideas?

SELECT field1, field2, rand() AS myrand FROM table ORDER BY myrand LIMIT
1;

It's a common problem.  With a solution that's easy, once you know it.
:)

Michael Sims
_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org



From dcech at phpwerx.net  Thu Sep  1 10:00:09 2005
From: dcech at phpwerx.net (Dan Cech)
Date: Thu, 01 Sep 2005 10:00:09 -0400
Subject: [nycphp-talk] Need help randomly accessing records from a
	database
In-Reply-To: <002801c5aef8$b1817160$11a8a8c0@cliff>
References: <002801c5aef8$b1817160$11a8a8c0@cliff>
Message-ID: <43170969.7090304@phpwerx.net>

Cliff Hirsch wrote:
> I need to randomly access records from a database and have come up with
> the following solution:

After I posted my last response I realised something I'd forgotten to 
mention.

For result sets larger than a few thousand rows you will most likely get 
better mileage out of something like:

$sql = 'SELECT COUNT(*) FROM `sometable`';
$cnt = $db->getOne($sql);

$rnd = mt_rand(0,$cnt - 1);

$sql = 'SELECT * FROM `sometable` LIMIT '. $rnd .',1';
$row = $db->getRow($sql);

My testing on a table with 50,000 rows indicated that this method was 
twice as fast on the first run and a massive 10x as fast for subsequent 
runs.

Dan


From RLindner at morrisjohnson.com  Thu Sep  1 10:52:38 2005
From: RLindner at morrisjohnson.com (Lindner, Richard)
Date: Thu, 1 Sep 2005 10:52:38 -0400
Subject: [nycphp-talk] php and deletion of Windows directories
Message-ID: <B89E384AF7CFCB4A8FE9C77AB10B29F6014AC4C4@mail.bsginc.wan>

>> However, on a Windows machine I can only delete the files in the directory 
>> but not the directory itself.  I've been playing around with the 
>> permissions of the directory and the parent of the directory but I can't 
>> seem to find the right settings.  What is the user that PHP runs under in 
>> Windows?


I believe that you're running into the limitation of the "delete" command in Windows.  In order to remove a direction, you need to use the "RD" or "RMDIR" command after deleting the files in the folder.


From leam at reuel.net  Thu Sep  1 11:21:50 2005
From: leam at reuel.net (leam at reuel.net)
Date: Thu, 1 Sep 2005 11:21:50 -0400
Subject: [nycphp-talk] DocumentRoot array oddness.
Message-ID: <20050901152150.GH2801@leitz.reuel.net>

I know I'm doing something wrong, just not sure what.

Here's the output from the web page:

DOCDIR is Array

PHPDIR is /home/alba/php

Here's the PHP bit that creates it:

	$DOCDIR = explode("/", "$_SERVER[DOCUMENT_ROOT]");
	echo "<p>DOCDIR is $DOCDIR";
	array_pop($DOCDIR);
	array_push($DOCDIR , "php");
	$PHPDIR = implode("/", $DOCDIR );
	echo "<p>PHPDIR is $PHPDIR";
	array_pop($DOCDIR);

$DOCDIR *should* be /home/alba. Or even the acutal DocumentRoot as alba is a v-host. It should *not* be "Array", and for the life of me I can't see how $PHPDIR gets set with $DOCDIR in a mess.

What do I need to straighten out?

ciao!

leam




From kenrbnsn at rbnsn.com  Thu Sep  1 11:35:03 2005
From: kenrbnsn at rbnsn.com (Ken Robinson)
Date: Thu, 01 Sep 2005 11:35:03 -0400
Subject: [nycphp-talk] DocumentRoot array oddness.
In-Reply-To: <20050901152150.GH2801@leitz.reuel.net>
References: <20050901152150.GH2801@leitz.reuel.net>
Message-ID: <6.2.5.4.2.20050901113013.02959840@rbnsn.com>

At 11:21 AM 9/1/2005, leam at reuel.net wrote:
>I know I'm doing something wrong, just not sure what.
>
>Here's the output from the web page:
>
>DOCDIR is Array
>
>PHPDIR is /home/alba/php
>
>Here's the PHP bit that creates it:
>
>         $DOCDIR = explode("/", "$_SERVER[DOCUMENT_ROOT]");

The explode() function creates a array from a string using the 
delineator that you specify.

>         echo "<p>DOCDIR is $DOCDIR";

echo '<pre>';print_r($DOCDIR);echo '</pre>';

>         array_pop($DOCDIR);
>         array_push($DOCDIR , "php");
>         $PHPDIR = implode("/", $DOCDIR );
>         echo "<p>PHPDIR is $PHPDIR";
>         array_pop($DOCDIR);
>
>$DOCDIR *should* be /home/alba. Or even the acutal DocumentRoot as 
>alba is a v-host. It should *not* be "Array", and for the life of me 
>I can't see how $PHPDIR gets set with $DOCDIR in a mess.

$PHPDIR gets created correctly since everywhere else you are treating 
$DOCDIR as the array it is. The implode() fuction creates a string 
from an array putting the string you specify between each element in the array.

Ken Robinson 



From steve.rieger at tbwachiat.com  Thu Sep  1 12:17:17 2005
From: steve.rieger at tbwachiat.com (Steve Rieger)
Date: Thu, 1 Sep 2005 12:17:17 -0400
Subject: [nycphp-talk] large file download
Message-ID: <0A5C091C-BEC2-40E2-9BAF-5A6D0C876B89@tbwachiat.com>

hi all
have an interesting question
i have large files that i am trying to download, anything up to 230  
MB works but from 250 and up i can not download. i get no errors in  
the error logs, and when i hit the download button apache seems to  
request the file but does not.
here are my php info variables for this dir, as defined in .htaccess

max_input_time    60
memory_limit    947M
output_buffering    4096


this is a page written in php, the files are there, and i can d/l the  
ones smaller than 250 MB. any pointers.  all the files are on local  
disks.

--
Steve Rieger
AIM chozrim
ICQ 53956607
Cell 646 335 8915
steve.rieger at tbwachiat.com

I had the blues because I had no shoes until upon the street, I met a  
man who had no feet.

Biker Blues




This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure.  Dissemination, distribution or copying of this e-mail or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited.  All contents are the copyright property of TBWA\Chiat\Day, its agencies or a client of such agencies.  If you are not the intended recipient, you are nevertheless bound to respect the worldwide legal rights of TBWA\Chiat\Day, its agencies and its clients.  We require that unintended recipients delete the e-mail and destroy all electronic copies in their system, retaining no copies in any media.  If you have received this e-mail in error, please immediately notify us via e-mail to disclaimer at tbwachiat.com.  We appreciate your cooperation.

We make no warranties as to the accuracy or completeness of this e-mail and accept no liability for its content or use.  Any opinions expressed in this e-mail are those of the author and do not necessarily reflect the opinions of TBWA\Chiat\Day or any of its agencies or affiliates.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050901/cef7acc0/attachment.html>

From cliff at pinestream.com  Thu Sep  1 12:44:42 2005
From: cliff at pinestream.com (Cliff Hirsch)
Date: Thu, 1 Sep 2005 12:44:42 -0400
Subject: [nycphp-talk] PHP Form Validation
In-Reply-To: <0A5C091C-BEC2-40E2-9BAF-5A6D0C876B89@tbwachiat.com>
Message-ID: <006701c5af14$7429f280$11a8a8c0@cliff>

PHPBuilder just posted this article: PHP Form Validation System: An
Object-Oriented Approach
See:  <http://www.phpbuilder.com/columns/weiner20050831.php3>
http://www.phpbuilder.com/columns/weiner20050831.php3 
 
Beside the primary validation content, the article uses the following
example, which I often see:
<input type="text" name="email" value="<?=$_POST['email']?>" /> 
 
I often wonder (but not when I'm with my wife) what the pros and cons
are of using value= $_POST['something'] versus value = $fresh_variable.
 
First, can't $_POST['email'] create an error, since on first pass, the
'email' key would not exist.
 
Second, how do you set default values? You would be setting the Post
array, which changes the source of the value from a form post to a
program. Doesn't seem right to me.
 
Third, if you do want to "scrub" the input, that implies modifying
$_POST['something'], which is in direct conflict with Chris Shiftlett's
$clean_array approach. Ok, so what's the harm in letting a user send
him/herself a potential <nastystuff> script -- still seems wrong to me.
 
Comments?
 
Cliff Hirsch
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050901/9573babb/attachment.html>

From agfische at email.smith.edu  Thu Sep  1 12:52:51 2005
From: agfische at email.smith.edu (Aaron Fischer)
Date: Thu, 01 Sep 2005 12:52:51 -0400
Subject: [nycphp-talk] PHP Form Validation
In-Reply-To: <006701c5af14$7429f280$11a8a8c0@cliff>
References: <006701c5af14$7429f280$11a8a8c0@cliff>
Message-ID: <431731E3.7080105@email.smith.edu>

If the $_POST['var'] doesn't have a value or hasn't been created, 
nothing is outputted, so the form just has value="" in the html form.  
Nothing wrong with that as far as I know.  I use something similar in my 
forms, haven't run into any problems.

-Aaron


Cliff Hirsch wrote:

> PHPBuilder just posted this article: PHP Form Validation System: An 
> Object-Oriented Approach
> See: http://www.phpbuilder.com/columns/weiner20050831.php3 
>  
> Beside the primary validation content, the article uses the following 
> example, which I often see:
> <input type="text" name="email" value="<?=$_POST['email']?>" /> 
>  
> I often wonder (but not when I'm with my wife) what the pros and cons 
> are of using value= $_POST['something'] versus value = $fresh_variable.
>  
> First, can't $_POST['email'] create an error, since on first pass, the 
> 'email' key would not exist.
>  
> Second, how do you set default values? You would be setting the Post 
> array, which changes the source of the value from a form post to a 
> program. Doesn't seem right to me.
>  
> Third, if you do want to "scrub" the input, that implies modifying 
> $_POST['something'], which is in direct conflict with Chris 
> Shiftlett's $clean_array approach. Ok, so what's the harm in letting a 
> user send him/herself a potential <nastystuff> script -- still seems 
> wrong to me.
>  
> Comments?
>  
> Cliff Hirsch




From hendler at simmons.edu  Thu Sep  1 13:02:49 2005
From: hendler at simmons.edu (Jonathan)
Date: Thu, 01 Sep 2005 13:02:49 -0400
Subject: [nycphp-talk] PHP Form Validation
In-Reply-To: <431731E3.7080105@email.smith.edu>
References: <006701c5af14$7429f280$11a8a8c0@cliff>
	<431731E3.7080105@email.smith.edu>
Message-ID: <43173439.2000803@simmons.edu>

Without looking at the PHP builder article - I think there are many 
things wrong with embedding $_POST in form html:

   1. if you display warning messages in your PHP ini it will display a
      warning on the first pass
   2. you can't run filters before display like htmlentities - the user
      can input javascript, html, or other ickiness like even a double
      quote can break the form
   3. what if you have a form with 10 steps and you want the user to be
      able to go back to a stage 3 and modify the data they had entered?
   4. html should probably be in a template file

What's trying to be accomplished is in a sense "state preservation" as 
well as cleaning/checking of the data. Just embedding $_REQUEST, $_POST, 
or $_GET is insufficient for any larger application.

Aaron Fischer wrote:

>If the $_POST['var'] doesn't have a value or hasn't been created, 
>nothing is outputted, so the form just has value="" in the html form.  
>Nothing wrong with that as far as I know.  I use something similar in my 
>forms, haven't run into any problems.
>
>-Aaron
>
>
>Cliff Hirsch wrote:
>
>  
>
>>PHPBuilder just posted this article: PHP Form Validation System: An 
>>Object-Oriented Approach
>>See: http://www.phpbuilder.com/columns/weiner20050831.php3 
>> 
>>Beside the primary validation content, the article uses the following 
>>example, which I often see:
>><input type="text" name="email" value="<?=$_POST['email']?>" /> 
>> 
>>I often wonder (but not when I'm with my wife) what the pros and cons 
>>are of using value= $_POST['something'] versus value = $fresh_variable.
>> 
>>First, can't $_POST['email'] create an error, since on first pass, the 
>>'email' key would not exist.
>> 
>>Second, how do you set default values? You would be setting the Post 
>>array, which changes the source of the value from a form post to a 
>>program. Doesn't seem right to me.
>> 
>>Third, if you do want to "scrub" the input, that implies modifying 
>>$_POST['something'], which is in direct conflict with Chris 
>>Shiftlett's $clean_array approach. Ok, so what's the harm in letting a 
>>user send him/herself a potential <nastystuff> script -- still seems 
>>wrong to me.
>> 
>>Comments?
>> 
>>Cliff Hirsch
>>    
>>
>
>
>_______________________________________________
>New York PHP Talk Mailing List
>AMP Technology
>Supporting Apache, MySQL and PHP
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.nyphp.org
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050901/e3343350/attachment.html>

From mail at billyreisinger.com  Thu Sep  1 13:06:28 2005
From: mail at billyreisinger.com (Billy Reisinger)
Date: Thu, 01 Sep 2005 13:06:28 -0400
Subject: [nycphp-talk] PHP Form Validation
In-Reply-To: <006701c5af14$7429f280$11a8a8c0@cliff>
References: <006701c5af14$7429f280$11a8a8c0@cliff>
Message-ID: <43173514.8080403@billyreisinger.com>

Cliff Hirsch wrote:

It would seem to me that, whether you plan on using a 
$_REQUEST['variable'] or a $fresh_variable directly in your form, you 
will still need to do the same sort of validation and security checking 
on it. 

> PHPBuilder just posted this article: PHP Form Validation System: An 
> Object-Oriented Approach
> See: http://www.phpbuilder.com/columns/weiner20050831.php3 
>  
> Beside the primary validation content, the article uses the following 
> example, which I often see:
> <input type="text" name="email" value="<?=$_POST['email']?>" /> 
>  
> I often wonder (but not when I'm with my wife) what the pros and cons 
> are of using value= $_POST['something'] versus value = $fresh_variable.
>  
> First, can't $_POST['email'] create an error, since on first pass, the 
> 'email' key would not exist.

Yeah, using an unset variable will throw a warning; you wouldn't see it 
unless your error reporting is set to see warnings.  You can use a few 
lines of code to set a bunch of variables that are used in your forms.  
I think it is good practice to set all variables before using them - 
many other programming languages require this.

$array_of_variable_names = array("email", "name", "blah");
foreach($array_of_variable_names as $variable_name) {
    if (!isset($_REQUEST[$variable_name])) {
       $_REQUEST[$variable_name] = "";
    }
}

>  
> Second, how do you set default values? You would be setting the Post 
> array, which changes the source of the value from a form post to a 
> program. Doesn't seem right to me.

use the isset() function to detect whether the variable has been set by 
the user ... if it hasn't, create a default value.  You can even do this 
one quickly, too.

//load an array with names of variables and default values
$variables_and_defaults = array("variable1"=>"value1", 
"variable2"=>"value2");

//cycle through the array
foreach($variables_and_defaults as $variable_name => $variable_value) {
   
    //if this variable is not set,
    if (!isset($$variable_name)) {

       //assign it the default value you associated with it above.
       $$variable_name = $variable_value;
    }
}
That's the general idea; I haven't checked it for errors, but it should 
work.

>  
> Third, if you do want to "scrub" the input, that implies modifying 
> $_POST['something'], which is in direct conflict with Chris 
> Shiftlett's $clean_array approach. Ok, so what's the harm in letting a 
> user send him/herself a potential <nastystuff> script -- still seems 
> wrong to me.
>
A number of reasons! The mail() script can be hijacked in any number of 
ways; it is always a good idea to thoroughly clean any variables that 
are used in that function.  mysql queries are vulnerable to attack, too, 
so be sure never to trust any variable that passes from page to page.
Cheers,
Billy Reisinger



From jellicle at gmail.com  Thu Sep  1 13:31:31 2005
From: jellicle at gmail.com (Michael Sims)
Date: Thu, 1 Sep 2005 13:31:31 -0400
Subject: [nycphp-talk] PHP Form Validation
In-Reply-To: <006701c5af14$7429f280$11a8a8c0@cliff>
References: <006701c5af14$7429f280$11a8a8c0@cliff>
Message-ID: <200509011331.31227.jellicle@gmail.com>

On Thursday 01 September 2005 12:44, Cliff Hirsch wrote:

> Beside the primary validation content, the article uses the following
> example, which I often see:
> <input type="text" name="email" value="<?=$_POST['email']?>" />

This is a cross-site scripting hole.

> Third, if you do want to "scrub" the input, that implies modifying
> $_POST['something'], which is in direct conflict with Chris Shiftlett's
> $clean_array approach. Ok, so what's the harm in letting a user send
> him/herself a potential <nastystuff> script -- still seems wrong to me.

Ah, but suppose the user didn't do it to himself.

Suppose I make a javascript function on my site.  The javascript on my site 
tells the web browser visiting my site to submit a form to YOUR site, with 
some POST variables.  Maybe the "email" variable in the POST request is set 
to, say:

"><script>alert('I just stole your cookies!')</script>

Now when the person browsing MY site executes that Javascript on MY site, 
his browser visits your site, submits a form, and the resulting page (which 
has access to the user's cookies) looks like:

<input type="text" name="email" value=""><script>alert('I just stole your 
cookies!')</script>" />

So the generated page, rendering on the user's machine and with access to 
the user's cookies for YOUR website, can now contain and execute ANY 
Javascript that *I* want to execute, which can easily send me your user's 
cookies (which may allow me to impersonate your user).

And again, all the user has to do is visit MY website with Javascript 
enabled in order for their cookies for your website to be stolen.

It is a conceptual error that content seen only by the user can't be a 
security hole.  It can.  DO NOT echo POST, GET, or COOKIE variables back to 
the user without AT LEAST escaping things like quotes, angle brackets, and 
so on.  The htmlspecialchars() or htmlentities() functions are a good 
start.


Michael Sims


From mitch.pirtle at gmail.com  Thu Sep  1 14:19:08 2005
From: mitch.pirtle at gmail.com (Mitch Pirtle)
Date: Thu, 1 Sep 2005 14:19:08 -0400
Subject: [nycphp-talk] What's in a name
In-Reply-To: <330532b6050901111272d269d8@mail.gmail.com>
References: <330532b6050901111272d269d8@mail.gmail.com>
Message-ID: <330532b6050901111938ba51fe@mail.gmail.com>

Here is the actual press release:

Award-winning Development Team Welcomes New Arrival -- Joomla!

The multi-award-winning team of core developers, that developed the
world's most popular content management system known as Mambo, has
changed the name of their software to Joomla!

Today, the development team unveiled the Joomla! project's new home at
www.joomla.org.

The Joomla! project announcement comes three weeks after the
development team unanimously voted to secure the project's future in
the spirit of open source software.

The development team formed Open Source Matters
(www.opensourcematters.org) to distribute information to users,
developers, web designers and the community in general.

Project leader Andrew Eddie made the announcement today, heralding the
forthcoming release of Joomla! 1.0.0, the team's first release under
the new structure and brand.

"This forthcoming release will be a celebration for everyone," Mr
Eddie said. "It marks the continuation of one of the best open source
software collaborations without commercial restraint or intervention."

He said the baby Joomla! would be a mature release of the project,
which includes rebranding, bug fixes and security patches. The Joomla!
roadmap about forthcoming releases of the project can be found at the
Joomla! website.

Core team member Brian Teeman said the release of Joomla! was
particularly important to the large user base, which had "supported us
through thick and thin".

"The community is now free to celebrate the new arrival and know the
project is in very safe hands indeed," Mr Teeman said.

The core team has been working very closely with the Software Freedom
Law Center (SFLC), in New York, to establish the Joomla! and Open
Source Matters entities. The SFLC provided legal representation and
other law related services to protect and advance free and open source
software.

"We are grateful for the excellent guidance and legal advice provided
-- at extremely short notice -- by Eben Moglen and his team at the
centre," Mr Teeman said.

"During Joomla's evolution, the project has received thousands of
emails, posts, letters and phone calls of support from people all over
the world," Mr Eddie said.

"The number of people expressing support is quite staggering --
including hobbyists, developers, third-party developers, web
designers, business owners, teachers, students, even members of other
CMS projects ... the list goes on and on," he said.

"Now the word is out and Joomla! has been born, we are focussed on
continuing our award-winning work and taking the project to new
heights."

Joomla! website creation software is released under GNU Public
License. Read more at www.joomla.org and www.opensourcematters.org.

Release prepared by Peter Russell
Authorised by Andrew Eddie and Brian Teeman

--
Mitch Pirtle
Joomla! Core Developer


From chsnyder at gmail.com  Thu Sep  1 16:25:00 2005
From: chsnyder at gmail.com (csnyder)
Date: Thu, 1 Sep 2005 16:25:00 -0400
Subject: [nycphp-talk] large file download
In-Reply-To: <0A5C091C-BEC2-40E2-9BAF-5A6D0C876B89@tbwachiat.com>
References: <0A5C091C-BEC2-40E2-9BAF-5A6D0C876B89@tbwachiat.com>
Message-ID: <b76252690509011325155239ae@mail.gmail.com>

On 9/1/05, Steve Rieger <steve.rieger at tbwachiat.com> wrote:
> hi all
> have an interesting question
> i have large files that i am trying to download, anything up to 230 MB works
> but from 250 and up i can not download. i get no errors in the error logs,
> and when i hit the download button apache seems to request the file but does
> not. 
> here are my php info variables for this dir, as defined in .htaccess
> 
> max_input_time    60
> memory_limit    947M 
> output_buffering    4096
> 
> 
> this is a page written in php, the files are there, and i can d/l the ones
> smaller than 250 MB. any pointers.  all the files are on local disks.

No real ideas, but a hunch... check your server system log (
/var/log/messages on Linux ) for signs that httpd has crashed. Not
sure what you would do about it, but if you don't see any indication
that Apache is barfing, you can cross that possibly off the list and
look for other factors.

What *does* happen? Zero-length file? 
Is there an entry in the httpd access_log?

Hmmm.

-- 
Chris Snyder
http://chxo.com/


From hendler at simmons.edu  Thu Sep  1 16:49:36 2005
From: hendler at simmons.edu (Jonathan)
Date: Thu, 01 Sep 2005 16:49:36 -0400
Subject: [nycphp-talk] large file download
In-Reply-To: <b76252690509011325155239ae@mail.gmail.com>
References: <0A5C091C-BEC2-40E2-9BAF-5A6D0C876B89@tbwachiat.com>
	<b76252690509011325155239ae@mail.gmail.com>
Message-ID: <43176960.3080901@simmons.edu>

If I remember you were trying to do some operation using zip files and 
fread.
Is apache downloading the files directly, or do you pass the files 
through php and push out the http headers from there?
If you are passing the binary data through php you might want to read in 
chunks then flush the data to the browser (base 64 encode also) rather 
than one long stream.

csnyder wrote:

>On 9/1/05, Steve Rieger <steve.rieger at tbwachiat.com> wrote:
>  
>
>>hi all
>>have an interesting question
>>i have large files that i am trying to download, anything up to 230 MB works
>>but from 250 and up i can not download. i get no errors in the error logs,
>>and when i hit the download button apache seems to request the file but does
>>not. 
>>here are my php info variables for this dir, as defined in .htaccess
>>
>>max_input_time    60
>>memory_limit    947M 
>>output_buffering    4096
>>
>>
>>this is a page written in php, the files are there, and i can d/l the ones
>>smaller than 250 MB. any pointers.  all the files are on local disks.
>>    
>>
>
>No real ideas, but a hunch... check your server system log (
>/var/log/messages on Linux ) for signs that httpd has crashed. Not
>sure what you would do about it, but if you don't see any indication
>that Apache is barfing, you can cross that possibly off the list and
>look for other factors.
>
>What *does* happen? Zero-length file? 
>Is there an entry in the httpd access_log?
>
>Hmmm.
>
>  
>



From shiflett at php.net  Thu Sep  1 18:37:02 2005
From: shiflett at php.net (Chris Shiflett)
Date: Thu, 01 Sep 2005 18:37:02 -0400
Subject: [nycphp-talk] PHP Form Validation
In-Reply-To: <006701c5af14$7429f280$11a8a8c0@cliff>
References: <006701c5af14$7429f280$11a8a8c0@cliff>
Message-ID: <4317828E.5030206@php.net>

Cliff Hirsch wrote:
> See: http://www.phpbuilder.com/columns/weiner20050831.php3 
>  
> Beside the primary validation content, the article uses the
> following example, which I often see:
> <input type="text" name="email" value="<?=$_POST['email']?>" />

This is really a big problem within our community. I can't think of a 
more obvious XSS vulnerability, but here it is in an article that 
numerous developers will read and apply to their own development.

In the past, I have made a conscious effort to contact the author of any 
article that teaches poor practices like this, but I very rarely get a 
response. I can only think of one article that was ever corrected - Zend 
removed one of their articles at my request. I've considered blogging 
about (or otherwise making public) the problems with an article such as 
this, but I don't like to spread unfriendliness - after all, the 
friendly nature of the PHP community is what I like about it.

> First, can't $_POST['email'] create an error, since on first pass,
> the 'email' key would not exist.

Yes, and although there are many ways to deal with this, none have ever 
seemed very elegant to me. The lesser of evils is to initialize elements 
within $_POST that you reference in this way, but I don't like modifying 
anything in $_POST, ever. I often see people using error supression, 
which I really hate:

<?=@$_POST['email']?>

In fact, this was in some courseware from which I was teaching once. I 
couldn't believe it. Not only is it not a very good practice to be 
teaching, but imagine being new to PHP and trying to digest that 
statement one character at a time:

<
?
=
@
$
_

Good grief!

If I wanted to write code like that, I'd be using Perl. :-)

> Second, how do you set default values? You would be setting the
> Post array, which changes the source of the value from a form post
> to a program. Doesn't seem right to me.

Me neither. :-)

> Third, if you do want to "scrub" the input, that implies modifying
> $_POST['something'], which is in direct conflict with Chris
> Shiflett's $clean_array approach.

I think this article neither filters input nor escapes output, despite 
the fact that it's supposed to be an article about input filtering.

> Ok, so what's the harm in letting a user send him/herself a
> potential <nastystuff> script -- still seems wrong to me.

I usually give examples that use $_GET in an attempt to solicit this 
question - who cares if the user attacks himself? Well, with $_GET, 
clearly the malicious content can be embedded in a link to your 
application. With $_POST, it's not quite as easy, but it's still 
possible - a "link" to your application can really be a form submission.

So, it sounds like you have good instincts. :-)

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/


From dmintz at davidmintz.org  Thu Sep  1 21:41:35 2005
From: dmintz at davidmintz.org (David Mintz)
Date: Thu, 1 Sep 2005 21:41:35 -0400 (EDT)
Subject: [nycphp-talk] PHP Form Validation
In-Reply-To: <4317828E.5030206@php.net>
References: <006701c5af14$7429f280$11a8a8c0@cliff> <4317828E.5030206@php.net>
Message-ID: <Pine.BSF.4.58.0509012130300.10206@emra.pair.com>

On Thu, 1 Sep 2005, Chris Shiflett wrote:

> Cliff Hirsch wrote:
> > See: http://www.phpbuilder.com/columns/weiner20050831.php3
> >
> > Beside the primary validation content, the article uses the
> > following example, which I often see:
> > <input type="text" name="email" value="<?=$_POST['email']?>" />
>
> This is really a big problem within our community. I can't think of a
> more obvious XSS vulnerability, but here it is in an article that
> numerous developers will read and apply to their own development.
<big snip />

I can testify that reading questionable tutorials and articles can set you
way back. Granted it was back in the days when people were still using PHP
3, and security- and hygienic awareness in general was probably lower, but
when I first started using PHP I got off to a poor start relying on
register_globals, using uninitialized variables, developing without
E_NOTICE turned on, not quoting $array[key], etc, all because of following
published examples. Sure, a more experienced, heads-up developer would
have known better, but...


---
David Mintz
http://davidmintz.org/


From mail at billyreisinger.com  Thu Sep  1 22:36:40 2005
From: mail at billyreisinger.com (Billy Reisinger)
Date: Thu, 1 Sep 2005 22:36:40 -0400
Subject: [nycphp-talk] PHP Form Validation
In-Reply-To: <4317828E.5030206@php.net>
References: <006701c5af14$7429f280$11a8a8c0@cliff> <4317828E.5030206@php.net>
Message-ID: <296BEAE9-A9E9-47C3-BA51-F43B9C856EED@billyreisinger.com>


On Sep 1, 2005, at 6:37 PM, Chris Shiflett wrote:

> Cliff Hirsch wrote:
>
>> See: http://www.phpbuilder.com/columns/weiner20050831.php3
>>
>> Beside the primary validation content, the article uses the
>> following example, which I often see:
>> <input type="text" name="email" value="<?=$_POST['email']?>" />
>>
>
> This is really a big problem within our community. I can't think of a
> more obvious XSS vulnerability, but here it is in an article that
> numerous developers will read and apply to their own development.
>

Correct me if I'm wrong here, folks, but using a $_POST['variable']  
directly in a form is no more or less vulnerable to attack than using  
a different variable that is a reference to a $_POST variable.  If  
you want to carry over form values after errors or across multiple  
form pages (i.e. preserve state), you have to reference these $_POST  
variables eventually, in some form or fashion.  In this sense, ALL  
forms are vulnerable to hacks.   It should be a necessary step for  
you to validate and protect yourself against any variable that your  
users can change.



From hendler at simmons.edu  Fri Sep  2 00:20:37 2005
From: hendler at simmons.edu (Jonathan)
Date: Fri, 02 Sep 2005 00:20:37 -0400
Subject: [nycphp-talk] PHP Form Validation
In-Reply-To: <296BEAE9-A9E9-47C3-BA51-F43B9C856EED@billyreisinger.com>
References: <006701c5af14$7429f280$11a8a8c0@cliff> <4317828E.5030206@php.net>
	<296BEAE9-A9E9-47C3-BA51-F43B9C856EED@billyreisinger.com>
Message-ID: <4317D315.6050808@simmons.edu>



Billy Reisinger wrote:

>On Sep 1, 2005, at 6:37 PM, Chris Shiflett wrote:
>
>  
>
>>Cliff Hirsch wrote:
>>
>>    
>>
>>>See: http://www.phpbuilder.com/columns/weiner20050831.php3
>>>
>>>Beside the primary validation content, the article uses the
>>>following example, which I often see:
>>><input type="text" name="email" value="<?=$_POST['email']?>" />
>>>
>>>      
>>>
>>This is really a big problem within our community. I can't think of a
>>more obvious XSS vulnerability, but here it is in an article that
>>numerous developers will read and apply to their own development.
>>
>>    
>>
>
>Correct me if I'm wrong here, folks, but using a $_POST['variable']  
>directly in a form is no more or less vulnerable to attack than using  
>a different variable that is a reference to a $_POST variable.  If  
>you want to carry over form values after errors or across multiple  
>form pages (i.e. preserve state), you have to reference these $_POST  
>variables eventually, in some form or fashion.  In this sense, ALL  
>forms are vulnerable to hacks.   It should be a necessary step for  
>you to validate and protect yourself against any variable that your  
>users can change.
>\
>  
>
Using $_POST is using a global variable - which if validated and 
transformed is an abuse of what $_POST is meant to represent. By moving 
variables out of global to preserve state you gain control of the 
variable ever changing again.
And the problem is deeper than about vulnerability to "attack" - its 
also about making reusable and clean architectures. So I see how you 
might say $_POST is like any other user altered variable - but the 
article being criticized is still promoting bad practice and, I guess 
from what is being said, makes no attempt to point out the obvious 
problems with embedding these tags in a form.


From chsnyder at gmail.com  Fri Sep  2 10:16:39 2005
From: chsnyder at gmail.com (csnyder)
Date: Fri, 2 Sep 2005 10:16:39 -0400
Subject: [nycphp-talk] PHP Form Validation
In-Reply-To: <Pine.BSF.4.58.0509012130300.10206@emra.pair.com>
References: <006701c5af14$7429f280$11a8a8c0@cliff> <4317828E.5030206@php.net>
	<Pine.BSF.4.58.0509012130300.10206@emra.pair.com>
Message-ID: <b762526905090207161080dc9d@mail.gmail.com>

On 9/1/05, David Mintz <dmintz at davidmintz.org> wrote:

> > > See: http://www.phpbuilder.com/columns/weiner20050831.php3

> I can testify that reading questionable tutorials and articles can set you
> way back. Granted it was back in the days when people were still using PHP
> 3, and security- and hygienic awareness in general was probably lower

Speaking of still using php3... I wonder if they really are, or if
that's simply a naming convention.

-- 
Chris Snyder
http://chxo.com/


From shiflett at php.net  Fri Sep  2 12:50:46 2005
From: shiflett at php.net (Chris Shiflett)
Date: Fri, 02 Sep 2005 12:50:46 -0400
Subject: [nycphp-talk] PHP Form Validation
In-Reply-To: <296BEAE9-A9E9-47C3-BA51-F43B9C856EED@billyreisinger.com>
References: <006701c5af14$7429f280$11a8a8c0@cliff> <4317828E.5030206@php.net>
	<296BEAE9-A9E9-47C3-BA51-F43B9C856EED@billyreisinger.com>
Message-ID: <431882E6.8010905@php.net>

Billy Reisinger wrote:
> Correct me if I'm wrong here, folks, but using a $_POST['variable']
> directly in a form is no more or less vulnerable to attack than
> using a different variable that is a reference to a $_POST variable.

That's right. In other words, the following is an example of a 
cross-site scripting vulnerability if $username is tainted:

echo "<p>Welcome, $username!</p>";

It's very easy to make a mistake that taints a variable without being 
obvious. For example, sometimes data is massaged several times before 
being used:

$user = $_POST['user'];

/* ... */

$user_array = explode(',', $user);

/* ... */

$name = $user_array[3];

/* ... */

list($first_name, $last_name) = explode(' ', $name);

/* ... */

echo "<p>Welcome, $first_name!</p>";

That's the best example I can think of on the fly. :-)

The point is that it's very easy to make a mistake - we all do it. 
That's the main reason why I try to adhere to practices that can help me 
make fewer mistakes.

I use $_POST sometimes in articles and talks just to make it obvious 
that the data is tainted and to make the example attacks simple and 
straightforward. That's why it's disappointing to see an article with 
such an obvious vulnerability.

> If you want to carry over form values after errors or across
> multiple form pages (i.e. preserve state), you have to reference
> these $_POST variables eventually, in some form or fashion. In
> this sense, ALL forms are vulnerable to hacks.

That's definitely not true. Consider a username form field. This is 
basically what the article in question recommends:

<input type="text"
        name="username"
        value="<?php echo $_POST['username']; ?>" />

Contrast that with this:

<?php

header('Content-Type: text/html; charset=UTF-8');

$clean = array();
$html = array();

if (isset($_POST['username'] &&
     ctype_alnum($_POST['username']))
{
     $clean['username'] = $_POST['username'];
}
else
{
     $clean['username'] = '';
}

$html['username'] = htmlentities($clean['username'],
                                  ENT_QUOTES,
                                  'UTF-8');

?>
<input type="text"
        name="username"
        value="<?php echo $html['username']; ?>" />

There's an enormous difference between the two.

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/


From max at neuropunks.org  Fri Sep  2 13:48:13 2005
From: max at neuropunks.org (max)
Date: Fri, 2 Sep 2005 12:48:13 -0500
Subject: [nycphp-talk] PHP Form Validation
In-Reply-To: <431882E6.8010905@php.net>
References: <006701c5af14$7429f280$11a8a8c0@cliff> <4317828E.5030206@php.net>
	<296BEAE9-A9E9-47C3-BA51-F43B9C856EED@billyreisinger.com>
	<431882E6.8010905@php.net>
Message-ID: <20050902174813.GA33766@neuropunks.org>

This is what I usually use to clean forms I *know* should not contain html/scripting.
The only problem is restrictive regexp which won't let you use say ! as part of a password.
Just thought someone might find it usefull.. Pretty basic code really.

if ($_POST){ 
	$post = input_process($_POST); 
	echo "<input type=\"text\" name=\"username\" value=\"$post[username]\">";
}

function input_process ($array) {
        if (count($array) > 0) {
                foreach ($array as $key=>$value) {
                        trim($key);
                        trim($value);
                        validate($key);
                        validate($value);
                        $config["$key"] = $value;
                }
                return $config;
        } else {
                return $array;
        }
}

function validate ($string) {
        if ($string != "") {
                if (ereg('[^a-zA-Z0-9\@\.\_\/\ \-]', $string)) {
                        echo "Invalid input $string";
                        return false;
                } else {
                        return $string;
                }
        } else {
                return $string;
        }
}


On Fri, Sep 02, 2005 at 12:50:46PM -0400, Chris Shiflett wrote:
> Billy Reisinger wrote:
> > Correct me if I'm wrong here, folks, but using a $_POST['variable']
> > directly in a form is no more or less vulnerable to attack than
> > using a different variable that is a reference to a $_POST variable.
> 
> That's right. In other words, the following is an example of a 
> cross-site scripting vulnerability if $username is tainted:
> 
> echo "<p>Welcome, $username!</p>";
> 
> It's very easy to make a mistake that taints a variable without being 
> obvious. For example, sometimes data is massaged several times before 
> being used:
> 
> $user = $_POST['user'];
> 
> /* ... */
> 
> $user_array = explode(',', $user);
> 
> /* ... */
> 
> $name = $user_array[3];
> 
> /* ... */
> 
> list($first_name, $last_name) = explode(' ', $name);
> 
> /* ... */
> 
> echo "<p>Welcome, $first_name!</p>";
> 
> That's the best example I can think of on the fly. :-)
> 
> The point is that it's very easy to make a mistake - we all do it. 
> That's the main reason why I try to adhere to practices that can help me 
> make fewer mistakes.
> 
> I use $_POST sometimes in articles and talks just to make it obvious 
> that the data is tainted and to make the example attacks simple and 
> straightforward. That's why it's disappointing to see an article with 
> such an obvious vulnerability.
> 
> > If you want to carry over form values after errors or across
> > multiple form pages (i.e. preserve state), you have to reference
> > these $_POST variables eventually, in some form or fashion. In
> > this sense, ALL forms are vulnerable to hacks.
> 
> That's definitely not true. Consider a username form field. This is 
> basically what the article in question recommends:
> 
> <input type="text"
>         name="username"
>         value="<?php echo $_POST['username']; ?>" />
> 
> Contrast that with this:
> 
> <?php
> 
> header('Content-Type: text/html; charset=UTF-8');
> 
> $clean = array();
> $html = array();
> 
> if (isset($_POST['username'] &&
>      ctype_alnum($_POST['username']))
> {
>      $clean['username'] = $_POST['username'];
> }
> else
> {
>      $clean['username'] = '';
> }
> 
> $html['username'] = htmlentities($clean['username'],
>                                   ENT_QUOTES,
>                                   'UTF-8');
> 
> ?>
> <input type="text"
>         name="username"
>         value="<?php echo $html['username']; ?>" />
> 
> There's an enormous difference between the two.
> 
> Chris
> 
> -- 
> Chris Shiflett
> Brain Bulb, The PHP Consultancy
> http://brainbulb.com/
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
> 


From shiflett at php.net  Fri Sep  2 14:02:59 2005
From: shiflett at php.net (Chris Shiflett)
Date: Fri, 02 Sep 2005 14:02:59 -0400
Subject: [nycphp-talk] PHP Form Validation
In-Reply-To: <20050902174813.GA33766@neuropunks.org>
References: <006701c5af14$7429f280$11a8a8c0@cliff>
	<4317828E.5030206@php.net>	<296BEAE9-A9E9-47C3-BA51-F43B9C856EED@billyreisinger.com>	<431882E6.8010905@php.net>
	<20050902174813.GA33766@neuropunks.org>
Message-ID: <431893D3.7020109@php.net>

max wrote:
> The only problem is restrictive regexp which won't
> let you use say ! as part of a password.

I never filter passwords like that - as long as you use the MD5 of 
something as your filtered password, you're pretty safe, because it's 
alphanumeric. This lets people use anything they want.

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/


From jbaltz at altzman.com  Fri Sep  2 14:20:14 2005
From: jbaltz at altzman.com (Jerry B. Altzman)
Date: Fri, 02 Sep 2005 14:20:14 -0400
Subject: [nycphp-talk] PHP Form Validation
In-Reply-To: <431893D3.7020109@php.net>
References: <006701c5af14$7429f280$11a8a8c0@cliff> <4317828E.5030206@php.net>
	<296BEAE9-A9E9-47C3-BA51-F43B9C856EED@billyreisinger.com>
	<431882E6.8010905@php.net> <20050902174813.GA33766@neuropunks.org>
	<431893D3.7020109@php.net>
Message-ID: <431897DE.1010001@altzman.com>

On 9/2/2005 2:02 PM, Chris Shiflett wrote:
> max wrote:
>>The only problem is restrictive regexp which won't
>>let you use say ! as part of a password.
> I never filter passwords like that - as long as you use the MD5 of 
> something as your filtered password, you're pretty safe, because it's 
> alphanumeric. This lets people use anything they want.

In fact, using a hash of a password instead of the password itself has a 
number of advantages:

1) The database column is always fixed-length -- a nice to have if you 
can have it.
2) You can have a pass *phrase* not just a pass *word* -- makes 
remembering much easier.
3) YOu don't store in your database plaintext (which you shouldn't be 
doing anyway -- either you hash the password itself, or if you MUST have 
access to the original, crypt it and decrypt it in the DB.

> Chris

//jbaltz
-- 
jerry b. altzman        jbaltz at altzman.com              KE3ML
thank you for contributing to the heat death of the universe.


From bpilgrim1979 at gmail.com  Fri Sep  2 17:10:16 2005
From: bpilgrim1979 at gmail.com (Billy Pilgrim)
Date: Fri, 2 Sep 2005 17:10:16 -0400
Subject: [nycphp-talk] PHP Form Validation
In-Reply-To: <431897DE.1010001@altzman.com>
References: <006701c5af14$7429f280$11a8a8c0@cliff> <4317828E.5030206@php.net>
	<296BEAE9-A9E9-47C3-BA51-F43B9C856EED@billyreisinger.com>
	<431882E6.8010905@php.net> <20050902174813.GA33766@neuropunks.org>
	<431893D3.7020109@php.net> <431897DE.1010001@altzman.com>
Message-ID: <6ee3253b05090214106fe7549@mail.gmail.com>

With md5, you can also setup a non-ssl secure login.

http://pajhome.org.uk/crypt/md5/index.html

Yahoo Mail uses this approach for non-ssl logins.  (You can view
source to see the pajhome.org javascript library.)

BP


From kigathi at gmail.com  Sat Sep  3 02:34:19 2005
From: kigathi at gmail.com (Eric K.)
Date: Sat, 3 Sep 2005 02:34:19 -0400
Subject: [nycphp-talk] SVN questions: incremental save using file
	changes/deltas &
Message-ID: <f6b3106e05090223343d31ab30@mail.gmail.com>

During the last NYPHP Andrew & Jeff gave an interesting talk on SVN which 
left me with a couple of questions...

1) One of SVN's advantages was that it only saves file deltas and not a copy 
of the file. Isn't this unsafe? What if some newbie sysadmin(!!) botches my 
original file or one of my early commits, won't that invalidated all my 
subsequent commits

2) Is there a shortcut to speed up development or must I duplicate the 
entire server/dev environment in every developer's workspace?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050903/cfa3de29/attachment.html>

From andrew at plexpod.com  Sat Sep  3 08:59:52 2005
From: andrew at plexpod.com (Andrew Yochum)
Date: Sat, 3 Sep 2005 08:59:52 -0400
Subject: [nycphp-talk] SVN questions: incremental save using file
	changes/deltas &
In-Reply-To: <f6b3106e05090223343d31ab30@mail.gmail.com>
References: <f6b3106e05090223343d31ab30@mail.gmail.com>
Message-ID: <200509030859.52671.andrew@plexpod.com>

On Saturday 03 September 2005 02:34, Eric K. wrote:
> During the last NYPHP Andrew & Jeff gave an interesting talk on SVN which
> left me with a couple of questions...
>
> 1) One of SVN's advantages was that it only saves file deltas and not a
> copy of the file. Isn't this unsafe? What if some newbie sysadmin(!!)
> botches my original file or one of my early commits, won't that invalidated
> all my subsequent commits

A version repository is no substitution for backups.  The chances of this happening are the same for any other applications or data stored on your system.  How often does your new sysadmin blow away files in /var/lib/mysql? or /var/www/?  Botching or taking just 1 file out of either may completely render them useless.  Remember that you have a local snapshot of your repos in the form of a checkout.  But maintaining backups will ensure your data will be safe.  Even so, if your sysadmin continues to botch your files, find a new sysadmin :-)

> 2) Is there a shortcut to speed up development or must I duplicate the
> entire server/dev environment in every developer's workspace?

One suggestion is to use a virtual host and docroot per developer on a centralized development server.  This method fits right in with Hans' presentation using Eclipse as a remote editor, while keeping systems potentially development systems configurations limited to one box, reducing the effort required to create new ones.

HTH,
Andrew
-- 
Andrew Yochum
Plexpod
andrew at plexpod.com
718-360-0879
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050903/7756fc7c/attachment.html>

From andrew at plexpod.com  Sat Sep  3 09:37:49 2005
From: andrew at plexpod.com (Andrew Yochum)
Date: Sat, 3 Sep 2005 09:37:49 -0400
Subject: [nycphp-talk] SVN questions: incremental save using file
	changes/deltas &
In-Reply-To: <200509030859.52671.andrew@plexpod.com>
References: <f6b3106e05090223343d31ab30@mail.gmail.com>
	<200509030859.52671.andrew@plexpod.com>
Message-ID: <200509030937.49133.andrew@plexpod.com>

On Saturday 03 September 2005 08:59, Andrew Yochum wrote:
> This method fits right in with Hans'
> presentation using Eclipse as a remote editor, while keeping systems
> potentially development systems configurations limited to one box, reducing
> the effort required to create new ones.

Yeah, I foobar'ed that. Should've read:
This method fits right in with Hans' presentation using Eclipse as a remote 
editor, while keeping development systems configurations limited to one box, 
reducing the effort required to create new ones.

-- 
Andrew Yochum
Plexpod
andrew at plexpod.com
718-360-0879


From chsnyder at gmail.com  Sat Sep  3 09:41:00 2005
From: chsnyder at gmail.com (csnyder)
Date: Sat, 3 Sep 2005 09:41:00 -0400
Subject: [nycphp-talk] SVN questions: incremental save using file
	changes/deltas &
In-Reply-To: <f6b3106e05090223343d31ab30@mail.gmail.com>
References: <f6b3106e05090223343d31ab30@mail.gmail.com>
Message-ID: <b76252690509030641573a714c@mail.gmail.com>

On 9/3/05, Eric K. <kigathi at gmail.com> wrote:
  
>  2) Is there a shortcut to speed up development or must I duplicate the
> entire server/dev environment in every developer's workspace?

In his Eclipse demo Hans really bashed VNC for development, but I've
had great results using it to allow a small team to do work directly
on a development server from their own workstations. It's definitely
recommended over sftp or WebDAV for development on the same LAN, just
as those technologies are more useful when working remotely.

But there's another angle to this: a well-planned project should be
easy to deploy. If each developer has to install XAMPP, edit their
local Apache config, create and initialize the database, and create a
local configuration file before they can start hacking the code, you
will collectively figure out how to streamline the process early on.

Document the install process and put it in a docs folder in your
project, along with an sql dump of the database structure and whatever
test data you work with. (Or use a remote connection to a single
database.)

One thing I would add to J and A's presentation: don't put your local
configuration file (the one that sets paths to things) under version
control.

If you have something like conf/config.php, move it to
conf/config-dist.php before importing your code into subversion. After
you check out the first working copy, and recreate the local
configuration at conf/config.php, you should (for safety's sake) tell
subversion to ignore that file from now on:

svn propedit svn:ignore conf    

...tells svn you want to edit the ignore property of the conf
directory. Svn opens an editor, to which you can add the single line:

config.php

Once you commit the property change, svn will ignore conf/config.php
so that someone can't accidentally add it and overwrite everyone
else's local configs. For more on svn:ignore, see
http://svnbook.red-bean.com/en/1.1/ch07s02.html#svn-ch-7-sect-2.3.3


-- 
Chris Snyder
http://chxo.com/


From ps at pswebcode.com  Sat Sep  3 11:03:26 2005
From: ps at pswebcode.com (Peter Sawczynec)
Date: Sat, 3 Sep 2005 11:03:26 -0400
Subject: [nycphp-talk] PHP Form Validation
In-Reply-To: <6ee3253b05090214106fe7549@mail.gmail.com>
Message-ID: <001201c5b098$a679b9c0$6500a8c0@Liz>

An Unnecessary Diversion That Requires No Attention

Thirty years ago an alarm on a car was an outrageous extravagance, 15 years
ago a moderately-priced optional add-on. Today, comes from the factory
pre-installed. Who would expect less? 

Wouldn't it be nice if in the near future, in the general discussion of
programming languages one of the finer selling points of why use PHP would
be: "PHP makes it exceptionally hard for even a novice to code insecurely.
It is literally one of the best for security. Hands down. That is a general
industry consensus."

This dialogue about form handling, the difficulties and solutions offered
here absolutely positively should be offered in the php.net general
introduction along with these other hypothetically named sections such as:

"For novice: The secure PHP install. Execute steps 1-10, period. Don't ask
any questions just do it this way", 

"For advanced: The fully-locked down php.ini, a freshened standard in
scripting language security", 

"Changing to secure form code now",

"Understanding the unsafe chasm in an HTTP to PHP communications transfer", 

"Extremely compromising errors display should be turned off by default, and
logging to file into an default errs directory should be the default.", 

"Try the new phpMyErrs versatile errors log viewer works like phpMyAdmin is
to MySQL. (Maybe can look into Apache err logs too.)", 

"Introducing the watch_this_script() function (superseding the less
intuitively named error_log()) that accepts a valid email address as an nth
parameter and if put at the top of a script page will email date, time and
all errors on that script with line number(s) automatically. How about a
baldly named recent_ten_errs(). Both work from anywhere, at any time like
phpinfo().", 

"Introducing the mandatory retrieve_safe_post_data() that accepts a
non-optional array of the variables expected (and that you would have to
modify the php.ini to not use this function) and a the new standardized
safe_email function that is quite strict and strips out all the really in
your face bad strings (unless you provide an exceptions white list). That
both of these function would even throw security_errors when they do catch
stuff and have an optional nth parameter of the email address that should
get the date, time and errors notifications.",


And all this might be commingled with the very exciting and brand new to
PHP6:

"How the new PHP6 acts as a pseudo-streaming media server with the new:
stream_media functions family." 

"The new get_time_by_long_and_latitude() and/or get_time_by_city() functions
that have daylight savings, leap year, procession of the stars (kidding)
built-in."

"'<Embed_code name="embed_script_1" params="v1, v2, v3" language=" PERL |
ASP | VB " />'"

I have just finished una semana dif?cil. 

But truly thank you to all -- many so tremendously gifted who contribute to
this endless conversational venture. 

Someone once mused: be careful, the more you use it, the more you can get
used. Seems to apply quite aptly to all digital tools and functions. 

Peter



-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Billy Pilgrim
Sent: Friday, September 02, 2005 5:10 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] PHP Form Validation


With md5, you can also setup a non-ssl secure login.

http://pajhome.org.uk/crypt/md5/index.html

Yahoo Mail uses this approach for non-ssl logins.  (You can view source to
see the pajhome.org javascript library.)

BP
_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org




From bpilgrim1979 at gmail.com  Sat Sep  3 16:27:48 2005
From: bpilgrim1979 at gmail.com (Billy Pilgrim)
Date: Sat, 3 Sep 2005 16:27:48 -0400
Subject: [nycphp-talk] PHP Form Validation
In-Reply-To: <001201c5b098$a679b9c0$6500a8c0@Liz>
References: <6ee3253b05090214106fe7549@mail.gmail.com>
	<001201c5b098$a679b9c0$6500a8c0@Liz>
Message-ID: <6ee3253b05090313276e581da6@mail.gmail.com>

On 9/3/05, Peter Sawczynec <ps at pswebcode.com> wrote:
> "For advanced: The fully-locked down php.ini, a freshened standard in
> scripting language security",

http://us3.php.net/manual/en/install.unix.php

13. Setup your php.ini file:

      cp php.ini-dist /usr/local/lib/php.ini

    You may edit your .ini file to set PHP options.  If you prefer your
    php.ini in another location, use --with-config-file-path=/some/path in
    step 10. 
    
    If you instead choose php.ini-recommended, be certain to read the list
    of changes within, as they affect how PHP behaves.


From bpilgrim1979 at gmail.com  Sat Sep  3 16:44:31 2005
From: bpilgrim1979 at gmail.com (Billy Pilgrim)
Date: Sat, 3 Sep 2005 16:44:31 -0400
Subject: [nycphp-talk] SVN questions: incremental save using file
	changes/deltas &
In-Reply-To: <f6b3106e05090223343d31ab30@mail.gmail.com>
References: <f6b3106e05090223343d31ab30@mail.gmail.com>
Message-ID: <6ee3253b050903134431d7532c@mail.gmail.com>

On 9/3/05, Eric K. <kigathi at gmail.com> wrote:

>  1) One of SVN's advantages was that it only saves file deltas and not a
> copy of the file. Isn't this unsafe? What if some newbie sysadmin(!!)
> botches my original file or one of my early commits, won't that invalidated
> all my subsequent commits

This question is immaterial because neither developers nor repository
administrators have anything to do with the internal file deltas, etc.
 A sysadmin installs subversion and then the subversion handles
commits--a "newbie sysadmin" isn't personally involved in any commit,
"original file", etc.  This question just doesn't make sense. 
Subversion just doesn't work that way.  :)

Also, your svn repos should be FSFS, not Berkeley.
http://svnbook.red-bean.com/en/1.1/ch05.html#svn-ch-5-sect-1.3

>  2) Is there a shortcut to speed up development or must I duplicate the
> entire server/dev environment in every developer's workspace?

If you're using subversion, you should WANT to have separate dev
environments.  Then files are shared through subversion.  But if your
dev team wants to edit the same files on a live webroot with Windows
Map a Network Drive, you are welcome to do that too.  :P

BP


From phil at bearingasset.com  Sun Sep  4 10:44:59 2005
From: phil at bearingasset.com (Phil Duffy)
Date: Sun, 4 Sep 2005 10:44:59 -0400
Subject: [nycphp-talk] Partial Name Lookup Function in PEAR
In-Reply-To: <8C77CAA3E05A480-94C-297D@MBLK-M28.sysops.aol.com>
Message-ID: <20050904144507.1B0B9A86DE@virtu.nyphp.org>

Lee,

 

This is the PEAR-based solution to the question I posed earlier.

 

    $personList = & new DataObjects_Person();

    $lastNamePattern = $input->person->last_name;

    $lastNamePattern = addslashes($lastNamePattern) . '%';

    $personList->whereAdd("last_name LIKE '$lastNamePattern'");

    $personList->orderBy('last_name');

    $result = $personList->find();

 

Many thanks for your prompt, excellent suggestion.  It started me on the
right path and allowed me to pose a specific question to the Seagull
community, which provided an insight.

 

Phil

 

 

  _____  

From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of leeeyerman at aol.com
Sent: Wednesday, August 31, 2005 8:19 PM
To: talk at lists.nyphp.org
Subject: Re: [nycphp-talk] Partial Name Lookup Function in PEAR

 

 I do not know about PEAR but if you are just trying to look up a first or
last name (or anything other name/text) using only a partial piece of
information the LIKE command is best.

 

SELECT "column" FROM "table" WHERE "column_name" LIKE [PATTERN] 

 

ie.

 

SELECT * FROM pics WHERE pic_name LIKE '%ANG%'

 

This would return all pic_name where ANG is contained in the string.

 

http://www.1keydata.com/sql/sqllike.html

http://www.techonthenet.com/sql/like.php 

 

 

 
-----Original Message-----
From: Phil Duffy <phil at bearingasset.com>
To: 'NYPHP Talk' <talk at lists.nyphp.org>
Sent: Wed, 31 Aug 2005 21:05:48 -0400
Subject: [nycphp-talk] Partial Name Lookup Function in PEAR

Does PEAR offer a partial name lookup function?  What is the best way to do
a partial name lookup in a database-independent manner?  If I must drop back
to hard-coded MySQL calls, is the LOCATE() function the appropriate one to
use in this situation?

Any responses will be appreciated, including advice to direct these
questions to another list.

Phil Duffy

_______________________________________________

New York PHP Talk Mailing List

AMP Technology

Supporting Apache, MySQL and PHP

http://lists.nyphp.org/mailman/listinfo/talk

http://www.nyphp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050904/70cb52e7/attachment.html>

From matt at jobsforge.com  Sun Sep  4 11:25:05 2005
From: matt at jobsforge.com (Matthew Terenzio)
Date: Sun, 4 Sep 2005 11:25:05 -0400
Subject: [nycphp-talk] HTML_QuickForm name attribute
Message-ID: <87aa9364c0c5a76122269e63a691512b@jobsforge.com>


I see that HTML_Quick_Form adds the name attribute to the form but 
xhtml1.0 strict doesn't support that attribute.
I was thinking of hacking up the class.

Does anyone know off hand whether there would be any problems without 
it?

Matt



From lists at zaunere.com  Sun Sep  4 18:44:05 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Sun, 4 Sep 2005 18:44:05 -0400
Subject: [nycphp-talk] SVN questions: incremental save using
	filechanges/deltas &
In-Reply-To: <b76252690509030641573a714c@mail.gmail.com>
Message-ID: <0MKoyl-1EC3Db1GrL-0006eC@mrelay.perfora.net>



csnyder wrote on Saturday, September 03, 2005 9:41 AM:
> On 9/3/05, Eric K. <kigathi at gmail.com> wrote:
> 
> >  2) Is there a shortcut to speed up development or must I duplicate the
> > entire server/dev environment in every developer's workspace?
> 
> In his Eclipse demo Hans really bashed VNC for development, but I've

Well, ok...

> had great results using it to allow a small team to do work directly
> on a development server from their own workstations. It's definitely
> recommended over sftp or WebDAV for development on the same LAN, just
> as those technologies are more useful when working remotely.

I don't know if I'd agree actually.  Depending on the operating system and user preference, pinning developers to a single platform by way of remote desktops can be troublesome, which is one of my primary objections.

> But there's another angle to this: a well-planned project should be
> easy to deploy. If each developer has to install XAMPP, edit their
> local Apache config, create and initialize the database, and create a
> local configuration file before they can start hacking the code, you
> will collectively figure out how to streamline the process early on.
> 
> Document the install process and put it in a docs folder in your
> project, along with an sql dump of the database structure and whatever
> test data you work with. (Or use a remote connection to a single
> database.)
> 
> One thing I would add to J and A's presentation: don't put your local
> configuration file (the one that sets paths to things) under version
> control.
> 
> If you have something like conf/config.php, move it to
> conf/config-dist.php before importing your code into subversion. After
> you check out the first working copy, and recreate the local
> configuration at conf/config.php, you should (for safety's sake) tell
> subversion to ignore that file from now on:
> 
> svn propedit svn:ignore conf
> 
> ...tells svn you want to edit the ignore property of the conf
> directory. Svn opens an editor, to which you can add the single line:
> 
> config.php
> 
> Once you commit the property change, svn will ignore conf/config.php
> so that someone can't accidentally add it and overwrite everyone
> else's local configs. For more on svn:ignore, see
> http://svnbook.red-bean.com/en/1.1/ch07s02.html#svn-ch-7-sect-2.3.3

That's a great outline of the process for ignoring files, etc.


---
Hans Zaunere
President, Founder
New York PHP
http://www.nyphp.org

AMP Technology
Supporting Apache, MySQL and PHP



From lists at zaunere.com  Sun Sep  4 19:04:33 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Sun, 4 Sep 2005 19:04:33 -0400
Subject: [nycphp-talk] PHP Form Validation
In-Reply-To: <6ee3253b05090313276e581da6@mail.gmail.com>
Message-ID: <0MKoyl-1EC3XO3yhk-0006r9@mrelay.perfora.net>



Billy Pilgrim wrote on Saturday, September 03, 2005 4:28 PM:
> On 9/3/05, Peter Sawczynec <ps at pswebcode.com> wrote:
> > "For advanced: The fully-locked down php.ini, a freshened standard in
> > scripting language security",
> 
> http://us3.php.net/manual/en/install.unix.php
> 
> 13. Setup your php.ini file:
> 
>       cp php.ini-dist /usr/local/lib/php.ini
> 
>     You may edit your .ini file to set PHP options.  If you prefer your
>     php.ini in another location, use --with-config-file-path=/some/path in
>     step 10.
> 
>     If you instead choose php.ini-recommended, be certain to read the list
>     of changes within, as they affect how PHP behaves.

php.ini-recommended does change behavior, but it's the correct behavior.  Code should be written to work under the settings contained within php.ini-recommended.  In fact, the first thing I do on all PHP installs is to cp php.ini-recommended to php.ini in the proper directory.

Using php.ini-recommended provides for better security, performance, and eliminates many of the idiosyncrasies that PHP has seen over the years.

H



From brettstil at gmail.com  Sun Sep  4 23:33:35 2005
From: brettstil at gmail.com (Brett Stilwell)
Date: Sun, 4 Sep 2005 23:33:35 -0400
Subject: [nycphp-talk] SVN questions: incremental save using file
	changes/deltas &
In-Reply-To: <b76252690509030641573a714c@mail.gmail.com>
References: <f6b3106e05090223343d31ab30@mail.gmail.com>
	<b76252690509030641573a714c@mail.gmail.com>
Message-ID: <4048d2ca05090420331f8cb043@mail.gmail.com>

On 9/3/05, csnyder <chsnyder at gmail.com> wrote:
> But there's another angle to this: a well-planned project should be
> easy to deploy. If each developer has to install XAMPP, edit their
> local Apache config, create and initialize the database, and create a
> local configuration file before they can start hacking the code, you
> will collectively figure out how to streamline the process early on.
> 
> Document the install process and put it in a docs folder in your
> project, along with an sql dump of the database structure and whatever
> test data you work with. (Or use a remote connection to a single
> database.)

Absolutely.  Every developer should understand how AMP is setup.  How
php.ini and httpd.conf are configured.  etc.  Every developer should
be required to install his own dev station based on the dev team docs.

Once that is understood, source control really comes into play with
local working copies vs commited files, branches for bug fixing vs new
release, version release tags, etc.

BP


From mikko.rantalainen at peda.net  Mon Sep  5 04:12:31 2005
From: mikko.rantalainen at peda.net (Mikko Rantalainen)
Date: Mon, 05 Sep 2005 11:12:31 +0300
Subject: [nycphp-talk] Partial Name Lookup Function in PEAR
In-Reply-To: <20050904144507.1B0B9A86DE@virtu.nyphp.org>
References: <20050904144507.1B0B9A86DE@virtu.nyphp.org>
Message-ID: <431BFDEF.4010805@peda.net>

Phil Duffy wrote:
> This is the PEAR-based solution to the question I posed earlier.
> 
>     $personList = & new DataObjects_Person();
>     $lastNamePattern = $input->person->last_name;
>     $lastNamePattern = addslashes($lastNamePattern) . '%';

Is this safe? I thought you were supposed to use
mysql_real_escape_string() with MySQL and pg_escape_string() with 
PostgreSQL and something else with other database engines.

Code that uses DB_DataObject should use following code instead if 
I've understood correctly:

$lastNamePattern = $personList->escape($lastNamePattern) . '%';

Documentation:
http://pear.php.net/manual/en/package.database.db-dataobject.db-dataobject.escape.php

>     $personList->whereAdd("last_name LIKE '$lastNamePattern'");
>     $personList->orderBy('last_name');
>     $result = $personList->find();

Am I the only one wondering if using OO-interface is really LESS 
error prone or EASIER than just writing the SQL queries by myself. 
At least, with interface like this...

-- 
Mikko


From ps at pswebcode.com  Mon Sep  5 07:46:56 2005
From: ps at pswebcode.com (Peter Sawczynec)
Date: Mon, 5 Sep 2005 07:46:56 -0400
Subject: [nycphp-talk] PHP Form Validation
In-Reply-To: <0MKoyl-1EC3XO3yhk-0006r9@mrelay.perfora.net>
Message-ID: <000301c5b20f$87e67c50$6500a8c0@Liz>

I knew I'd looked through the "php.ini-recommended" before and I did not
find it thorough, so for the purposes of this discussion I just reviewed it
again and I still find: 

open_basedir = "" [is not set],  
allow_url_fopen = On, 
expose_php = On, 
safe_mode = off,
track_errors = Off,

All these settings should be reversed for the default. Open_basedir must be
set.
Like I said, out of the box with all restrictions and let admins turn on
features only as needed.

Apache also has several little canoodles in the conf, e.g.: ServerSignature
On.  Specifying Listen should probably be mandatory.

Peter





-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Hans Zaunere
Sent: Sunday, September 04, 2005 7:05 PM
To: 'NYPHP Talk'
Subject: Re: [nycphp-talk] PHP Form Validation




Billy Pilgrim wrote on Saturday, September 03, 2005 4:28 PM:
> On 9/3/05, Peter Sawczynec <ps at pswebcode.com> wrote:
> > "For advanced: The fully-locked down php.ini, a freshened standard 
> > in scripting language security",
> 
> http://us3.php.net/manual/en/install.unix.php
> 
> 13. Setup your php.ini file:
> 
>       cp php.ini-dist /usr/local/lib/php.ini
> 
>     You may edit your .ini file to set PHP options.  If you prefer your
>     php.ini in another location, use --with-config-file-path=/some/path in
>     step 10.
> 
>     If you instead choose php.ini-recommended, be certain to read the list
>     of changes within, as they affect how PHP behaves.

php.ini-recommended does change behavior, but it's the correct behavior.
Code should be written to work under the settings contained within
php.ini-recommended.  In fact, the first thing I do on all PHP installs is
to cp php.ini-recommended to php.ini in the proper directory.

Using php.ini-recommended provides for better security, performance, and
eliminates many of the idiosyncrasies that PHP has seen over the years.

H

_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org




From phil at bearingasset.com  Mon Sep  5 08:35:27 2005
From: phil at bearingasset.com (Phil Duffy)
Date: Mon, 5 Sep 2005 08:35:27 -0400
Subject: [nycphp-talk] Partial Name Lookup Function in PEAR
In-Reply-To: <431BFDEF.4010805@peda.net>
Message-ID: <20050905123544.B0F21A86E8@virtu.nyphp.org>

Mikko,

Thanks for your observation.  I see your point and have made the change.

Phil

-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Mikko Rantalainen
Sent: Monday, September 05, 2005 3:13 AM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Partial Name Lookup Function in PEAR

Phil Duffy wrote:
> This is the PEAR-based solution to the question I posed earlier.
> 
>     $personList = & new DataObjects_Person();
>     $lastNamePattern = $input->person->last_name;
>     $lastNamePattern = addslashes($lastNamePattern) . '%';

Is this safe? I thought you were supposed to use
mysql_real_escape_string() with MySQL and pg_escape_string() with 
PostgreSQL and something else with other database engines.

Code that uses DB_DataObject should use following code instead if 
I've understood correctly:

$lastNamePattern = $personList->escape($lastNamePattern) . '%';

Documentation:
http://pear.php.net/manual/en/package.database.db-dataobject.db-dataobject.e
scape.php

>     $personList->whereAdd("last_name LIKE '$lastNamePattern'");
>     $personList->orderBy('last_name');
>     $result = $personList->find();
Am I the only one wondering if using OO-interface is really LESS 
error prone or EASIER than just writing the SQL queries by myself. 
At least, with interface like this...

-- 
Mikko
_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org






From chsnyder at gmail.com  Mon Sep  5 09:40:37 2005
From: chsnyder at gmail.com (csnyder)
Date: Mon, 5 Sep 2005 09:40:37 -0400
Subject: [nycphp-talk] HTML_QuickForm name attribute
In-Reply-To: <87aa9364c0c5a76122269e63a691512b@jobsforge.com>
References: <87aa9364c0c5a76122269e63a691512b@jobsforge.com>
Message-ID: <b7625269050905064061a59b33@mail.gmail.com>

On 9/4/05, Matthew Terenzio <matt at jobsforge.com> wrote:
> 
> I see that HTML_Quick_Form adds the name attribute to the form but
> xhtml1.0 strict doesn't support that attribute.
> I was thinking of hacking up the class.
> 
> Does anyone know off hand whether there would be any problems without
> it?
> 
> Matt

Unless you really need XHTML Strict for some reason you could save
yourself a lot of trouble and use XHTML Transitional.

Have you tried using forms without name attributes? In my experience
they don't actually work yet.


From shiflett at php.net  Mon Sep  5 11:20:50 2005
From: shiflett at php.net (Chris Shiflett)
Date: Mon, 05 Sep 2005 11:20:50 -0400
Subject: [nycphp-talk] PHP Form Validation
In-Reply-To: <000301c5b20f$87e67c50$6500a8c0@Liz>
References: <000301c5b20f$87e67c50$6500a8c0@Liz>
Message-ID: <431C6252.5000507@php.net>

Peter Sawczynec wrote:
> I knew I'd looked through the "php.ini-recommended" before and I did not
> find it thorough, so for the purposes of this discussion I just reviewed
> it again and I still find:
>
> open_basedir = "" [is not set],
> allow_url_fopen = On,
> expose_php = On,
> safe_mode = off,
> track_errors = Off,
>
> All these settings should be reversed for the default.

While open_basedir is a good thing to set, there's no way a default 
config file that comes bundled with the distribution can specify a value 
that fits everyone's needs. This is something that needs to remain as is.

Disabling expose_php would seriously hurt the usage graph, so that's 
unlikely to happen. I'm not saying the PHP Group is more concerned with 
marketing than security, but there is very little to be gained by 
disabling this, so there's really no point. A little obscurity never 
hurts, but it's not worth much.

The safe_mode directive needs to go. I would hate to see that enabled by 
default. I'd rather see it not in the config file at all. This is a 
likely scenario for PHP 6.0. In exchange, hosts can utilize open_basedir 
and disable_functions, and perhaps the config file can have some 
commented lines with suggestions.

> Apache also has several little canoodles in the conf, e.g.:
> ServerSignature On.

Same as above. A little bit of obscurity has a little bit of value, but 
it's not worth "hiding" the fact that so many people use Apache and PHP.

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/


From chsnyder at gmail.com  Mon Sep  5 13:52:04 2005
From: chsnyder at gmail.com (csnyder)
Date: Mon, 5 Sep 2005 13:52:04 -0400
Subject: [nycphp-talk] PHP Form Validation
In-Reply-To: <431C6252.5000507@php.net>
References: <000301c5b20f$87e67c50$6500a8c0@Liz> <431C6252.5000507@php.net>
Message-ID: <b76252690509051052755369d8@mail.gmail.com>

On 9/5/05, Chris Shiflett <shiflett at php.net> wrote:
> A little bit of obscurity has a little bit of value, but
> it's not worth "hiding" the fact that so many people use Apache and PHP.

Yep. Turning off the product signatures is important if you want to
hide version information from your clients or your boss, and it might
protect you from casual scans via Google.

But there's nothing to stop an attacking 'bot from discovering the
version levels on its own, by trying known vulnerabilities.


From dmintz at davidmintz.org  Mon Sep  5 15:29:43 2005
From: dmintz at davidmintz.org (David Mintz)
Date: Mon, 5 Sep 2005 15:29:43 -0400 (EDT)
Subject: [nycphp-talk] to __autoload or not to __autoload?
Message-ID: <Pine.BSF.4.58.0509051451100.2208@emra.pair.com>


If you use HTML_QuickForm with a PHP5 __autoload() function such as the
following...

function __autoload($class) {
	include_once(str_replace('_',DIRECTORY_SEPARATOR,$class).'.php');
}

...you can get burned by a line in RuleRegistry.php that depends on PHP4
classname insensitivity where it tests whether something
is_a('lowercase_classname')

   if (is_a($element, 'html_quickform_group')) { /* ... */ }

And it seems that there has been some controversy over whether this is a
bug requiring fixing, or the user's problem
(http://marc.theaimsgroup.com/?l=pear-dev&m=112241111400053&w=2 etc).

In my case it won't be a problem if I either fix this line myself, or stop
using __autoload().

But an __autoload() is also going to fail where classes are bundled in the
same file, which in some cases is not an unreasonable thing to do, imho.

So I am wondering what people's thoughts are about __autoload() generally.
Do you?  Why or why not?



---
David Mintz
http://davidmintz.org/


From lists at zaunere.com  Mon Sep  5 23:00:31 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Mon, 5 Sep 2005 23:00:31 -0400
Subject: [nycphp-talk] SVN questions: incremental save using
	filechanges/deltas &
In-Reply-To: <f6b3106e05090223343d31ab30@mail.gmail.com>
Message-ID: <0MKoyl-1ECThK0Hhg-0001o7@mrelay.perfora.net>



Eric K. wrote on Saturday, September 03, 2005 2:34 AM:
> During the last NYPHP Andrew & Jeff gave an interesting talk on SVN which
> left me with a couple of questions... 
> 
> 1) One of SVN's advantages was that it only saves file deltas and not a
> copy of the file. Isn't this unsafe? What if some newbie sysadmin(!!)
> botches my original file or one of my early commits, won't that
> invalidated all my subsequent commits

As Andrew points out, svn isn't a backup, recovery, or retention solution.  In fact, it could be considered a point of vulnerability, just like any other source repository.  There are two things well protected in this world:  Microsoft's and Oracle's source repositories.

Seriously though, the SVN server should have a regular backup routine, and it's always a good idea to keep at least 5 days of backups.  Basically the facets of any good backup strategy - geographic duplicity, off-site archival, retention, etc. - all apply here.

> 2) Is there a shortcut to speed up development or must I duplicate the
> entire server/dev environment in every developer's workspace?

This is basically what my presentation covered, and we'll get those slides online soon.  The short version is that by using a combination of technologies - Windows XP, Eclipse, WebDrive, and either WebDAV, SFTP or even FTP - a team of developers can work on a single server.  This has a couple of key advantages:

-- no need to recreate the dev environment multiple times
-- no code/environment drift.  Even if you set up environments exactly the same, it's inevitable that the developers will want to tweak their settings, resulting in unexpected results when deployed.
-- developers can use the platform of their choice as a workstation, whether it be Windows, Mac or UNIX


---
Hans Zaunere / President / New York PHP
www.nyphp.com




From greg.rundlett at gmail.com  Tue Sep  6 21:38:45 2005
From: greg.rundlett at gmail.com (Greg Rundlett)
Date: Tue, 6 Sep 2005 21:38:45 -0400
Subject: [nycphp-talk] to __autoload or not to __autoload?
In-Reply-To: <Pine.BSF.4.58.0509051451100.2208@emra.pair.com>
References: <Pine.BSF.4.58.0509051451100.2208@emra.pair.com>
Message-ID: <5e2aaca4050906183827cf3e8a@mail.gmail.com>

On 9/5/05, David Mintz <dmintz at davidmintz.org> wrote:
> 
> 
> So I am wondering what people's thoughts are about __autoload() generally.
> Do you? Why or why not?



I don't use it. I want to know specifically what classes I'm loading, and 
add comments about why I'm loading them if it's not obvious. Others might 
argue that it makes life easier, but it doesn't make life easy for 
users/developers who use your code, and searching for what library defines 
some class. If somebody insists that it's a language feature, and makes use 
of that feature for convenience, then I hope that they also consider 
documentation a feature, and make use of that convenience too. ;-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050906/aa533be1/attachment.html>

From cliff at pinestream.com  Wed Sep  7 09:45:25 2005
From: cliff at pinestream.com (Cliff Hirsch)
Date: Wed, 7 Sep 2005 09:45:25 -0400
Subject: [nycphp-talk] Favorite PEAR Packages
In-Reply-To: <6ee3253b05090214106fe7549@mail.gmail.com>
Message-ID: <000b01c5b3b2$66880cf0$11a8a8c0@cliff>

Every time I look at PEAR packages, I think, "wow that sure would have
saved me some time." Then, when I dig deeper, I see that the package is
in alpha, or it has no documentation, or the learning curve doesn't
appear to be worth the effort, or I worry about customization and
extensibility to my specific requirements (such as how committed do I
get before I hit the wall with the package) or I worry if the general
purpose nature of these packages will cause them to be slow.

The latest packages I have looked at that have caused this angst are
Structures_DataGrid, HTML_Table, Pager 2.2 and Validate. Although these
same general thoughts appear with many other packages such as the mighty
HTML Quickform.

What packages are your favorites? Would you use them for full blown,
large scale custom web applications or smaller "corporate-style"
development effort? Any thoughts or experience with extensibility,
rendering and performance?

Cliff Hirsch



From dcech at phpwerx.net  Wed Sep  7 10:21:30 2005
From: dcech at phpwerx.net (Dan Cech)
Date: Wed, 07 Sep 2005 10:21:30 -0400
Subject: [nycphp-talk] Favorite PEAR Packages
In-Reply-To: <000b01c5b3b2$66880cf0$11a8a8c0@cliff>
References: <000b01c5b3b2$66880cf0$11a8a8c0@cliff>
Message-ID: <431EF76A.1080507@phpwerx.net>

Cliff,

Firstly let me get one 'pet peeve' off my chest.  When creating a new 
topic please create a new email rather than replying to a list message 
with a different subject line.  For those of us using email clients with 
threading support this gets really annoying.

As for PEAR packages, I use DB on a daily basis at work and would not be 
without it (or adodb if that's your preference) for any major project.

I have also had great success with Mail_Mime for parsing incoming email 
messages, Spreadsheet_Excel_Writer and XML_RPC.

You do sometimes have to get used to doing things 'the PEAR way', but 
the wealth of pre-developed and tested software is something that is 
very hard to ignore.
Dan

Cliff Hirsch wrote:
> Every time I look at PEAR packages, I think, "wow that sure would have
> saved me some time." Then, when I dig deeper, I see that the package is
> in alpha, or it has no documentation, or the learning curve doesn't
> appear to be worth the effort, or I worry about customization and
> extensibility to my specific requirements (such as how committed do I
> get before I hit the wall with the package) or I worry if the general
> purpose nature of these packages will cause them to be slow.
> 
> The latest packages I have looked at that have caused this angst are
> Structures_DataGrid, HTML_Table, Pager 2.2 and Validate. Although these
> same general thoughts appear with many other packages such as the mighty
> HTML Quickform.
> 
> What packages are your favorites? Would you use them for full blown,
> large scale custom web applications or smaller "corporate-style"
> development effort? Any thoughts or experience with extensibility,
> rendering and performance?
> 
> Cliff Hirsch


From ps at pswebcode.com  Thu Sep  8 15:15:18 2005
From: ps at pswebcode.com (Peter Sawczynec)
Date: Thu, 8 Sep 2005 15:15:18 -0400
Subject: [nycphp-talk] A SQL Shout Out
Message-ID: <000001c5b4a9$b8cbbdc0$6500a8c0@Liz>

I simply wanted to give a special notable mention and thanks to O'Reilly's
"MySQL Cookbook" which in the last year has handily become my
most-referenced reference. And probably has lead me to more effective
solutions than any other reference I've stacked around the desk. [I try to
solve almost everything first with SQL.]

Additionally, I wanted to note that for exploring SQL more deeply as a
language I found "The Practical SQL Handbook" and "Joe Celko's SQL for
Smarties" elegant, stretching out like seasoned profs.


Warmest regards,

Peter Sawczynec
PSWebcode
ps at pswebcode.com
718.796.1951




From dmintz at davidmintz.org  Fri Sep  9 17:11:46 2005
From: dmintz at davidmintz.org (David Mintz)
Date: Fri, 9 Sep 2005 17:11:46 -0400 (EDT)
Subject: [nycphp-talk] PDF mailing labels in PHP 5
Message-ID: <Pine.BSF.4.58.0509091631110.69604@emra.pair.com>


I want to generate standard Avery #5160 mailing labels with data from a
MySQL db. I have done this using Perl modules but I want to use PHP (can't
seem get Perl DBD:mysql installed and communicating with MySQL 4.1)

So I tried running the example that comes with the label-making subclass
of class.ezpdf.php found at http://www.ros.co.nz/pdf/user.php and the
resulting output file is somehow corrupt, but I haven't succeeded in
debugging the problem any better than that. I am running PHP 5.0.4. I
thought, gee let's try it on a PHP 4 server. Bingo.

Question is, to anyone who's familiar with this class, is this a PHP 5
compatibility problem, or is the fact that I was lucky on one box but not
the other just luck?

Or:  does anyone know of another good solution for making labels? I
suppose possible solutions are: install PHP 4 to run in cgi mode and use
this code as is, or fix it to run under PHP 5.

---
David Mintz
http://davidmintz.org/


From yournway at gmail.com  Fri Sep  9 17:18:46 2005
From: yournway at gmail.com (Alberto dos Santos)
Date: Fri, 9 Sep 2005 22:18:46 +0100
Subject: [nycphp-talk] PDF mailing labels in PHP 5
In-Reply-To: <Pine.BSF.4.58.0509091631110.69604@emra.pair.com>
Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAA8M4dUVbIKEuJA0hSbWoDYcKAAAAQAAAA/3v0BFJFHkuhEojGrPiqyAEAAAAA@gmail.com>

Export as csv, import in ms word and do-it?





Just joking. Hehe ;-) 

Alberto

> ---
> David Mintz
> http://davidmintz.org/
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
> 



From prusak at gmail.com  Fri Sep  9 17:20:33 2005
From: prusak at gmail.com (Ophir Prusak)
Date: Fri, 9 Sep 2005 17:20:33 -0400
Subject: [nycphp-talk] PHP on Windows + MS SQL Server
Message-ID: <f1dc81bb050909142017f298db@mail.gmail.com>

Hi All,

I'm working at a windows shop where all of the data is on MS SQL server 2000
(using .asp and .aspx - .net)

We're at the point where we're looking into adding PHP into the mix.

Up until this point, 99% of my PHP experience is on Linux systems with
MySQL, Oracle or PostgreSQL.

Any pointers / tips / articles / web sites (etc) I should be looking
at that will help me integrate PHP in our windows 2003 + MS SQL 2000
environment as smoothly as possible ?

Thanks
Ophir


From dcech at phpwerx.net  Fri Sep  9 17:24:57 2005
From: dcech at phpwerx.net (Dan Cech)
Date: Fri, 09 Sep 2005 17:24:57 -0400
Subject: [nycphp-talk] PDF mailing labels in PHP 5
In-Reply-To: <Pine.BSF.4.58.0509091631110.69604@emra.pair.com>
References: <Pine.BSF.4.58.0509091631110.69604@emra.pair.com>
Message-ID: <4321FDA9.7030009@phpwerx.net>

David,

I have used the pdf class extensively under php4, but not php5.

I'd definitely spend a little time trying to figure out exactly what is 
going wrong in php5, as it seems this wonderful class is receiving very 
little of the love it deserves at present.

To get some idea of why the output may be munged, you could try using 
this debugging code:

// debugging
$pdf->ezText("\n\n".$pdf->messages,10,array('justification'=>'left'));
$pdfcode = $pdf->output(1);
$pdfcode = str_replace("\n","<br />\n",htmlspecialchars($pdfcode));
echo '<html><body>';
echo trim($pdfcode);
echo '</body></html>';
exit();

Dan

David Mintz wrote:
> I want to generate standard Avery #5160 mailing labels with data from a
> MySQL db. I have done this using Perl modules but I want to use PHP (can't
> seem get Perl DBD:mysql installed and communicating with MySQL 4.1)
> 
> So I tried running the example that comes with the label-making subclass
> of class.ezpdf.php found at http://www.ros.co.nz/pdf/user.php and the
> resulting output file is somehow corrupt, but I haven't succeeded in
> debugging the problem any better than that. I am running PHP 5.0.4. I
> thought, gee let's try it on a PHP 4 server. Bingo.
> 
> Question is, to anyone who's familiar with this class, is this a PHP 5
> compatibility problem, or is the fact that I was lucky on one box but not
> the other just luck?
> 
> Or:  does anyone know of another good solution for making labels? I
> suppose possible solutions are: install PHP 4 to run in cgi mode and use
> this code as is, or fix it to run under PHP 5.
> 
> ---
> David Mintz
> http://davidmintz.org/


From tgales at tgaconnect.com  Fri Sep  9 18:06:58 2005
From: tgales at tgaconnect.com (Tim Gales)
Date: Fri, 09 Sep 2005 18:06:58 -0400
Subject: [nycphp-talk] PDF mailing labels in PHP 5
In-Reply-To: <Pine.BSF.4.58.0509091631110.69604@emra.pair.com>
References: <Pine.BSF.4.58.0509091631110.69604@emra.pair.com>
Message-ID: <43220782.2080204@tgaconnect.com>

David Mintz writes:
...
> 
> So I tried running the example that comes with the label-making subclass
> of class.ezpdf.php found at http://www.ros.co.nz/pdf/user.php and the
> resulting output file is somehow corrupt, but I haven't succeeded in
> debugging the problem any better than that. I am running PHP 5.0.4. I
> thought, gee let's try it on a PHP 4 server. Bingo.
>  

Sorry not familiar with that stuff.
But you do have the fonts (in the right place) -- right?

-- 
T. Gales & Associates
'Helping People Connect with Technology'

http://www.tgaconnect.com


From nestorflorez at earthlink.net  Fri Sep  9 19:20:04 2005
From: nestorflorez at earthlink.net (Nestor Florez)
Date: Fri, 9 Sep 2005 16:20:04 -0700 (GMT-07:00)
Subject: [nycphp-talk] PHP on Windows + MS SQL Server
Message-ID: <6531025.1126308004322.JavaMail.root@elwamui-mouette.atl.sa.earthlink.net>

When calling to open the DB in Mysql be aware of using ; instead a : between the
ip address and the port #  

Otherwise it should be no problem.

Nestor :-)

-----Original Message-----
From: Ophir Prusak <prusak at gmail.com>
Sent: Sep 9, 2005 2:20 PM
To: NYPHP Talk <talk at lists.nyphp.org>
Subject: [nycphp-talk] PHP on Windows + MS SQL Server

Hi All,

I'm working at a windows shop where all of the data is on MS SQL server 2000
(using .asp and .aspx - .net)

We're at the point where we're looking into adding PHP into the mix.

Up until this point, 99% of my PHP experience is on Linux systems with
MySQL, Oracle or PostgreSQL.

Any pointers / tips / articles / web sites (etc) I should be looking
at that will help me integrate PHP in our windows 2003 + MS SQL 2000
environment as smoothly as possible ?

Thanks
Ophir
_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org





From ps at pswebcode.com  Fri Sep  9 21:09:13 2005
From: ps at pswebcode.com (Peter Sawczynec)
Date: Fri, 9 Sep 2005 21:09:13 -0400
Subject: [nycphp-talk] PHP on Windows + MS SQL Server
In-Reply-To: <f1dc81bb050909142017f298db@mail.gmail.com>
Message-ID: <000001c5b5a4$42e3b350$6400a8c0@PeterStorm>

PHP 4.x under IIS6 on Windows 2003 Server, if I recall, will need to
have php added to the web server extensions set. Done through IIS
Manager.

Install PHP into a really plain directory name like C:\PHP. Don't use
paths with spaces in them. 

Then add this PATH to the environmental variables accessed through My
Computer>Properties. Then with this one step alone: php.ini, all the
php.dlls, everything from the install, can stay in the single PHP
install folder and you don't have to put anything out into C:\Windows,
etc. 

PHP4.x installs under IIS 5 and IIS 6 smoothly. You need to tune your
settings in php.ini. Directions that come with the PHP download are
quite complete.

Googling for PHP Windows install tutorial will get you plenty of
results. Just step 5 or 6 pages down through the results. Lots of
individuals have summarized their efforts.

Php.net user comments in the Windows install area has lots of tips too.

Additionally, MySQL 4.x installs smoothly on Win boxes.

No fear.



-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of Ophir Prusak
Sent: Friday, September 09, 2005 5:21 PM
To: NYPHP Talk
Subject: [nycphp-talk] PHP on Windows + MS SQL Server

Hi All,

I'm working at a windows shop where all of the data is on MS SQL server
2000
(using .asp and .aspx - .net)

We're at the point where we're looking into adding PHP into the mix.

Up until this point, 99% of my PHP experience is on Linux systems with
MySQL, Oracle or PostgreSQL.

Any pointers / tips / articles / web sites (etc) I should be looking
at that will help me integrate PHP in our windows 2003 + MS SQL 2000
environment as smoothly as possible ?

Thanks
Ophir
_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org




From corey at bmfenterprises.com  Sat Sep 10 00:18:43 2005
From: corey at bmfenterprises.com (Corey Fogarty)
Date: Sat, 10 Sep 2005 00:18:43 -0400
Subject: [nycphp-talk] Requirements for a Verisign Cert?
Message-ID: <BF47D6E3.162CF%corey@bmfenterprises.com>

I bought a Verisign Secure Site Pro cert for a client. It is not working
correctly...

I am running Apache 1.3.29 mod_ssl/2.8.16 OpenSSL/0.9.7c.

This is a Solaris 2.6 Ultra 5 running 64mb of memory, that may be part of
the problem, I am not sure.

Here are just a few of the errors that are kicking back when we start the
server and try to hit a page... I have replaced the domain name, I am not
working on dummy.com.

> [Fri Sep  9 22:30:55 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows)
> [Fri Sep  9 22:30:55 2005] [error] OpenSSL:
> error:140890C7:lib(20):func(137):reason(199)
> [Fri Sep  9 22:30:56 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows)
> [Fri Sep  9 22:30:56 2005] [error] OpenSSL:
> error:1408A10B:lib(20):func(138):reason(267)
> [Fri Sep  9 22:31:52 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows)
> [Fri Sep  9 22:31:52 2005] [error] OpenSSL:
> error:140890C7:lib(20):func(137):reason(199)
> [Fri Sep  9 22:31:52 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows)
> [Fri Sep  9 22:31:52 2005] [error] OpenSSL:
> error:1408A10B:lib(20):func(138):reason(267)
> [Fri Sep  9 22:49:04 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.47) (OpenSSL library error follows)
> [Fri Sep  9 22:49:04 2005] [error] OpenSSL:
> error:1409441B:lib(20):func(148):reason(1051)
> [Fri Sep  9 22:55:53 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows)
> [Fri Sep  9 22:55:53 2005] [error] OpenSSL:
> error:140890C7:lib(20):func(137):reason(199)
> [Fri Sep  9 22:55:53 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows)
> [Fri Sep  9 22:55:53 2005] [error] OpenSSL:
> error:1408A10B:lib(20):func(138):reason(267)
> [Fri Sep  9 22:59:13 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows)
> [Fri Sep  9 22:59:13 2005] [error] OpenSSL:
> error:140890C7:lib(20):func(137):reason(199)
> [Fri Sep  9 22:59:13 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows)
> [Fri Sep  9 22:59:13 2005] [error] OpenSSL:
> error:1408A10B:lib(20):func(138):reason(267)
> [Fri Sep  9 23:00:22 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.47) (OpenSSL library error follows)
> [Fri Sep  9 23:00:22 2005] [error] OpenSSL:
> error:1409441B:lib(20):func(148):reason(1051)
> [Fri Sep  9 23:06:13 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.47) (OpenSSL library error follows)
> [Fri Sep  9 23:06:13 2005] [error] OpenSSL:
> error:1409441B:lib(20):func(148):reason(1051)
> [Fri Sep  9 23:42:34 2005] [error] mod_ssl: SSL handshake interrupted by
> system [Hint: Stop button pressed in browser?!] (System error follows)
> [Fri Sep  9 23:42:34 2005] [error] System: Connection reset by peer (errno:
> 131)
 
Here is a test I read out of the Professional Apache Security book by Wrox
Press...

> bash-2.02# openssl s_client -connect www.dummy.com:443
> CONNECTED(00000004)
> depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International
> Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
> VeriSign
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> 18006:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is
> not 01:rsa_pk1.c:100:
> 18006:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
> failed:rsa_eay.c:580:
> 18006:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad
> signature:s3_clnt.c:1185:
> 
Here is an excerpt from the ssl_engine_log from startup.

> [09/Sep/2005 23:05:43 17594] [info]  Server: Apache/1.3.29, Interface:
> mod_ssl/2.8.16, Library: OpenSSL/0.9.7c
> [09/Sep/2005 23:05:43 17594] [info]  Init: 1st startup round (still not
> detached)
> [09/Sep/2005 23:05:43 17594] [info]  Init: Initializing OpenSSL library
> [09/Sep/2005 23:05:43 17594] [info]  Init: Loading certificate & private key
> of SSL-aware server www.dummy.com:443
> [09/Sep/2005 23:05:43 17594] [info]  Init: Requesting pass phrase via builtin
> terminal dialog
> [09/Sep/2005 23:05:46 17594] [info]  Init: Loading certificate & private key
> of SSL-aware server 255.255.255.21:443
> [09/Sep/2005 23:05:46 17594] [info]  Init: Loading certificate & private key
> of SSL-aware server 255.255.255.46:443
> [09/Sep/2005 23:05:46 17594] [info]  Init: Wiped out the queried pass phrases
> from memory
> [09/Sep/2005 23:05:46 17594] [info]  Init: Seeding PRNG with 136 bytes of
> entropy
> [09/Sep/2005 23:05:46 17594] [info]  Init: Generating temporary RSA private
> keys (512/1024 bits)
> [09/Sep/2005 23:05:49 17594] [info]  Init: Configuring temporary DH parameters
> (512/1024 bits)
> [09/Sep/2005 23:05:49 17595] [info]  Init: 2nd startup round (already
> detached)
> [09/Sep/2005 23:05:49 17595] [info]  Init: Reinitializing OpenSSL library
> [09/Sep/2005 23:05:49 17595] [info]  Init: Seeding PRNG with 136 bytes of
> entropy
> [09/Sep/2005 23:05:49 17595] [info]  Init: Configuring temporary RSA private
> keys (512/1024 bits)
> [09/Sep/2005 23:05:49 17595] [info]  Init: Configuring temporary DH parameters
> (512/1024 bits)
> [09/Sep/2005 23:05:49 17595] [info]  Init: Initializing (virtual) servers for
> SSL
> [09/Sep/2005 23:05:50 17595] [info]  Init: Configuring server
> www.dummy.com:443 for SSL protocol
> [09/Sep/2005 23:05:50 17595] [info]  Init: (www.dummy.com:443) RSA server
> certificate enables Server Gated Cryptography (SGC)
> [09/Sep/2005 23:05:50 17595] [info]  Init: Configuring server
> 255.255.255.21:443 for SSL protocol
> [09/Sep/2005 23:05:50 17595] [warn]  Init: (255.255.255.21:443) RSA server
> certificate CommonName (CN) `www.dummy2.com' does NOT match server name!?
> [09/Sep/2005 23:05:50 17595] [info]  Init: Configuring server
> 255.255.255.46:443 for SSL protocol
> [09/Sep/2005 23:05:50 17595] [warn]  Init: (255.255.255.46:443) RSA server
> certificate CommonName (CN) `www.dummy3.com' does NOT match server name!?
> [09/Sep/2005 23:06:03 17596] [info]  Connection to child 0 established (server
> 255.255.255.46:443, client 255.255.255.46)
> [09/Sep/2005 23:06:03 17596] [info]  Seeding PRNG with 1160 bytes of entropy
> [09/Sep/2005 23:06:03 17596] [error] SSL handshake failed (server
> 255.255.255.46:443, client 255.255.255.46) (OpenSSL library error follows)
> [09/Sep/2005 23:06:03 17596] [error] OpenSSL:
> error:1409441B:lib(20):func(148):reason(1051)
> [09/Sep/2005 23:06:13 17597] [info]  Connection to child 1 established (server
> www.dummy.com:443, client 255.255.255.47)
> [09/Sep/2005 23:06:13 17597] [info]  Seeding PRNG with 1160 bytes of entropy
> [09/Sep/2005 23:06:13 17597] [error] SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.47) (OpenSSL library error follows)
> [09/Sep/2005 23:06:13 17597] [error] OpenSSL:
> error:1409441B:lib(20):func(148):reason(1051)
> [09/Sep/2005 23:41:49 17598] [info]  Connection to child 2 established (server
> 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:41:49 17598] [info]  Seeding PRNG with 1160 bytes of entropy
> [09/Sep/2005 23:41:50 17598] [info]  Initial (No.1) HTTPS request received for
> child 2 (server 255.255.255.21:443)
> [09/Sep/2005 23:41:51 17599] [info]  Connection to child 3 established (server
> 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:41:51 17599] [info]  Seeding PRNG with 1160 bytes of entropy
> [09/Sep/2005 23:41:52 17600] [info]  Connection to child 4 established (server
> 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:41:52 17600] [info]  Seeding PRNG with 1160 bytes of entropy
> [09/Sep/2005 23:41:53 17600] [info]  Initial (No.1) HTTPS request received for
> child 4 (server 255.255.255.21:443)
> [09/Sep/2005 23:41:53 17599] [info]  Initial (No.1) HTTPS request received for
> child 3 (server 255.255.255.21:443)
> [09/Sep/2005 23:42:08 17598] [info]  Connection to child 2 closed with
> standard shutdown (server 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:42:09 17600] [info]  Connection to child 4 closed with
> standard shutdown (server 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:42:10 17599] [info]  Connection to child 3 closed with
> standard shutdown (server 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:42:11 17596] [info]  Connection to child 0 established (server
> 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:42:11 17596] [info]  Seeding PRNG with 1160 bytes of entropy
> [09/Sep/2005 23:42:20 17596] [info]  Initial (No.1) HTTPS request received for
> child 0 (server 255.255.255.21:443)
> [09/Sep/2005 23:42:21 17605] [info]  Connection to child 5 established (server
> 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:42:21 17605] [info]  Seeding PRNG with 1160 bytes of entropy
> [09/Sep/2005 23:42:21 17596] [info]  Connection to child 0 closed with unclean
> shutdown (server 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:42:21 17597] [info]  Connection to child 1 established (server
> 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:42:21 17597] [info]  Seeding PRNG with 1160 bytes of entropy
> [09/Sep/2005 23:42:22 17605] [info]  Initial (No.1) HTTPS request received for
> child 5 (server 255.255.255.21:443)
> [09/Sep/2005 23:42:22 17605] [info]  Connection to child 5 closed with unclean
> shutdown (server 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:42:22 17597] [info]  Initial (No.1) HTTPS request received for
> child 1 (server 255.255.255.21:443)
> [09/Sep/2005 23:42:22 17597] [info]  Connection to child 1 closed with unclean
> shutdown (server 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:42:31 17901] [info]  Connection to child 6 established (server
> www.dummy.com:443, client 255.255.255.112)
> [09/Sep/2005 23:42:31 17901] [info]  Seeding PRNG with 1160 bytes of entropy
> [09/Sep/2005 23:42:34 17901] [error] SSL handshake interrupted by system
> [Hint: Stop button pressed in browser?!] (System error follows)
> [09/Sep/2005 23:42:34 17901] [error] System: Connection reset by peer (errno:
> 131)
> [09/Sep/2005 23:54:22 17902] [info]  Connection to child 7 established (server
> www.dummy.com:443, client 255.255.255.47)
> [09/Sep/2005 23:54:22 17902] [info]  Seeding PRNG with 1160 bytes of entropy
> [09/Sep/2005 23:54:23 17902] [error] SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.47) (OpenSSL library error follows)
> [09/Sep/2005 23:54:23 17902] [error] OpenSSL:
> error:1409441B:lib(20):func(148):reason(1051)
>  
The funny part is that I have actually had some luck signing my own certs. I
still get errors but at least the page loads... With the Verisign cert, the
page doesn?t even load.

Hopefully someone else has found their way through this maze and can shoot
up a flare for me!

Thanks all!

Corey

P.S. I have tried tech support at Verisign with very little luck. They are
very clear on the fact that they don?t support open source. I am guessing
they have their fingers in their ears a bit there...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050910/7fcb573a/attachment.html>

From cfontaine at spidmail.net  Sat Sep 10 09:35:55 2005
From: cfontaine at spidmail.net (Cedric Fontaine)
Date: Sat, 10 Sep 2005 09:35:55 -0400
Subject: [nycphp-talk] PDF mailing labels in PHP 5
In-Reply-To: <Pine.BSF.4.58.0509091631110.69604@emra.pair.com>
References: <Pine.BSF.4.58.0509091631110.69604@emra.pair.com>
Message-ID: <4322E13B.2020806@spidmail.net>

David Mintz wrote:
> Or:  does anyone know of another good solution for making labels? I
> suppose possible solutions are: install PHP 4 to run in cgi mode and use
> this code as is, or fix it to run under PHP 5.

I've been using FPDF with success http://www.fpdf.org/ and this script
for labels
http://www.fpdf.org/fr/script/script29.php

Cedric



From danielc at analysisandsolutions.com  Sat Sep 10 10:42:08 2005
From: danielc at analysisandsolutions.com (Daniel Convissor)
Date: Sat, 10 Sep 2005 10:42:08 -0400
Subject: [nycphp-talk] PHP on Windows + MS SQL Server
In-Reply-To: <f1dc81bb050909142017f298db@mail.gmail.com>
References: <f1dc81bb050909142017f298db@mail.gmail.com>
Message-ID: <20050910144208.GB21130@panix.com>

Hey Ophir:

On Fri, Sep 09, 2005 at 05:20:33PM -0400, Ophir Prusak wrote:
> 
> I'm working at a windows shop where all of the data is on MS SQL server 2000
> (using .asp and .aspx - .net)
> 
> We're at the point where we're looking into adding PHP into the mix.

PEAR DB works just dandy with MSSQL.  Even if you don't want to use the 
package, you may gain some insights from the source code.

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409


From leegold at fastmail.fm  Sat Sep 10 12:58:53 2005
From: leegold at fastmail.fm (leegold)
Date: Sat, 10 Sep 2005 12:58:53 -0400
Subject: [nycphp-talk] XAMPP windows install question
Message-ID: <1126371533.19948.242611975@webmail.messagingengine.com>

# After installing MySQL as a service, remember to copy
\xampp\mysql\my_example.cnf to C:\my.cnf

I read this line above on the nyphp XAMPP site. Not sure cause I have no
file named my.cnf on C:\ and MYSQL seems to be running OK - PHPMyAdmin
works OK. Can/Should I ignore this?

Thanks

PS. What list on nyphp should I ask PHP programming questions? Although
    there are many newsgroups for this so I'm OK...


From lists at zaunere.com  Sat Sep 10 13:57:39 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Sat, 10 Sep 2005 13:57:39 -0400
Subject: [nycphp-talk] XAMPP windows install question
In-Reply-To: <1126371533.19948.242611975@webmail.messagingengine.com>
Message-ID: <0MKp2t-1EE9bg16UW-00021f@mrelay.perfora.net>



leegold wrote on Saturday, September 10, 2005 12:59 PM:
> # After installing MySQL as a service, remember to copy
> \xampp\mysql\my_example.cnf to C:\my.cnf
> 
> I read this line above on the nyphp XAMPP site. Not sure cause I have no
> file named my.cnf on C:\ and MYSQL seems to be running OK - PHPMyAdmin
> works OK. Can/Should I ignore this?

If you're just running XAMPP for development and test drive purposes on your laptop, then you can ignore this for now.  MySQL will use conservative defaults if it doesn't find a my.cnf file.

Once your ready to start playing around with the MySQL configuration, you can put the my.cnf file in a number of different places.  I always put mine in the data directory of MySQL, for instance, c:\xampp\mysql\data

> PS. What list on nyphp should I ask PHP programming questions? Although
>     there are many newsgroups for this so I'm OK...

This is the list, NYPHP-Talk.  You can of course view other lists at http://www.nyphp.org/lists/


---
Hans Zaunere / President / New York PHP
  www.nyphp.org  /  www.nyphp.com




From leegold at fastmail.fm  Sat Sep 10 19:17:47 2005
From: leegold at fastmail.fm (leegold)
Date: Sat, 10 Sep 2005 19:17:47 -0400
Subject: [nycphp-talk] PEAR help
Message-ID: <1126394267.9586.242623311@webmail.messagingengine.com>

XAMPP works great. 
I now want to get PEAR working. Using Win2K...

How do I install PEAR? - of course I see the PEAR folder in xampp but
isn't there a bit more I have to do?
Do I have to edit my PATH env. var?
Do I have to run a .bat to activate PEAR?
PEAR will work from my DOS CMD line is this true?
So I need to get it working and the test will be I'll download some PEAR
packages...

Thanks,
Lee G.


From smanes at magpie.com  Sun Sep 11 08:59:07 2005
From: smanes at magpie.com (Steve Manes)
Date: Sun, 11 Sep 2005 08:59:07 -0400
Subject: [nycphp-talk] PHPWiki
Message-ID: <43242A1B.4050102@magpie.com>

Pardon me if this has been discussed before.  I assume it has been but I 
was probably outside having a smoke.  What's the general opinion about 
PHPWiki here?

I'm tasked with setting up a Wiki for a large open source PHP dev 
project for Childrens Health Fund.  I've set up and used TikiWiki before 
and it worked fine.  It's just a bit of overkill for our needs and it 
would sorta politically undercut my argument for PHP as the base 
language for this project if I installed a perl wiki.

I downloaded v1.3 last night and got it running okay albeit with tons of 
PHP warnings, mostly about using invalid types in referenced arg 
variables.  I googled relentlessly on this problem only to find myself 
directed to other PHPWiki sites, most of which suffered from the same 
affliction.

I know how to turn off those warnings and know (pretty much) what's 
causing them.  But I'd rather not mask the symptoms.  Also, PHP warnings 
indicate potentially problematic code.

Is v1.3 not ready for prime time or does it require PHP5?  The 
installation docs are somewhat byzantine.  Is there a better PHP 
alternative to PHPWiki?


From rolan at omnistep.com  Sun Sep 11 09:34:34 2005
From: rolan at omnistep.com (Rolan Yang)
Date: Sun, 11 Sep 2005 09:34:34 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
Message-ID: <4324326A.8060307@omnistep.com>

A few of my web based feedback (contact.php) scripts have been getting 
hammered with some sort of  spam or bot net attack over the past week.
The scripts are running on different servers at different web hosts, but 
the garbage coming in has been the same. The "from" field is filled in 
with random lower case letters like "kljaogr at domain.com" where "domain" 
is the website address. The body field contains the same email address.

Sometimes "Content-Type: multipart/mixed; 
boundary=\"===============083392.."
is appended to the email address in both the "from:" field and also the 
body.

The submissions are coming from different ip's all over the world.
Has anyone else been experiencing anything similar?

~Rolan




From kenrbnsn at rbnsn.com  Sun Sep 11 09:50:20 2005
From: kenrbnsn at rbnsn.com (Ken Robinson)
Date: Sun, 11 Sep 2005 09:50:20 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <4324326A.8060307@omnistep.com>
References: <4324326A.8060307@omnistep.com>
Message-ID: <6.2.5.4.2.20050911094253.02fb43b8@rbnsn.com>

At 09:34 AM 9/11/2005, Rolan Yang wrote:
>A few of my web based feedback (contact.php) scripts have been getting
>hammered with some sort of  spam or bot net attack over the past week.
>The scripts are running on different servers at different web hosts, but
>the garbage coming in has been the same. The "from" field is filled in
>with random lower case letters like "kljaogr at domain.com" where "domain"
>is the website address. The body field contains the same email address.
>
>Sometimes "Content-Type: multipart/mixed;
>boundary=\"===============083392.."
>is appended to the email address in both the "from:" field and also the
>body.
>
>The submissions are coming from different ip's all over the world.
>Has anyone else been experiencing anything similar?

Yes. I use the following function

function checkit($name) {
     return(str_replace(array("\r", "\n", "%OA", "%oa", "%OD", "%od", 
"Content-Type:","BCC:","bcc:"), "", $name));
}

to render their attempts harmless.

I use the above function with:

$from = '"' . stripslashes(checkit($_POST['contactname'])) . '" <' . 
stripslashes(checkit($_POST['Email'])) . '>';
$to = "kenrbnsn at kis-web-design.com";
$headers = "From: " . $from . "\r\n";
$headers .= "Reply-To: " . stripslashes(checkit($_POST['Email'])) . "\r\n\r\n";
@mail($to, "Subject goes here", $mail_body, $headers);

They are still trying, but they aren't succeeding to do anything 
malicious. One of the attempts even but their code in my message 
textarea, which wouldn't have done anything anyway since it was in 
the body of the mail message.

Ken 



From tom at supertom.com  Sun Sep 11 11:25:30 2005
From: tom at supertom.com (Tom)
Date: Sun, 11 Sep 2005 11:25:30 -0400
Subject: [nycphp-talk] PHPWiki
In-Reply-To: <43242A1B.4050102@magpie.com>
Message-ID: <0IMN0014PR9LAX00@mta6.srv.hcvlny.cv.net>

Hi Steve,

I've tried PHPWiki in the past, and although useable, I've had great success
with MediaWiki, which runs WikiPedia and the like.  Very easy to install,
and very mature.

I understand there are a couple of forks of this, you may want to look into
those as well.

Tom

http://www.liphp.org


 

-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Steve Manes
Sent: Sunday, September 11, 2005 8:59 AM
To: NYPHP Talk
Subject: [nycphp-talk] PHPWiki

Pardon me if this has been discussed before.  I assume it has been but I was
probably outside having a smoke.  What's the general opinion about PHPWiki
here?

I'm tasked with setting up a Wiki for a large open source PHP dev project
for Childrens Health Fund.  I've set up and used TikiWiki before and it
worked fine.  It's just a bit of overkill for our needs and it would sorta
politically undercut my argument for PHP as the base language for this
project if I installed a perl wiki.

I downloaded v1.3 last night and got it running okay albeit with tons of PHP
warnings, mostly about using invalid types in referenced arg variables.  I
googled relentlessly on this problem only to find myself directed to other
PHPWiki sites, most of which suffered from the same affliction.

I know how to turn off those warnings and know (pretty much) what's causing
them.  But I'd rather not mask the symptoms.  Also, PHP warnings indicate
potentially problematic code.

Is v1.3 not ready for prime time or does it require PHP5?  The installation
docs are somewhat byzantine.  Is there a better PHP alternative to PHPWiki?
_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org




From mail at billyreisinger.com  Sun Sep 11 11:09:14 2005
From: mail at billyreisinger.com (Billy Reisinger)
Date: Sun, 11 Sep 2005 11:09:14 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <6.2.5.4.2.20050911094253.02fb43b8@rbnsn.com>
References: <4324326A.8060307@omnistep.com>
	<6.2.5.4.2.20050911094253.02fb43b8@rbnsn.com>
Message-ID: <3590C917-BA65-4696-AA35-73CD36CF5892@billyreisinger.com>

Rolan:

Follow Ken's advice immediately.  To me, it looks like they DID  
succeed in hacking your mail script.  I got the same email from one  
of my scripts, and I found out the next day that my hosting company  
had shut down my website - AOL called them  to complain of tons of  
spam coming from my domain, and threatened to blacklist them.

The hack is accomplished by injecting code into one of your fields;  
you have to check for line breaks and other suspicious stuff (like  
Bcc: headers) to make sure that someone isn't trying to inject  
additional recipients into the script.
Here's a great page, detailing how the hack is accomplished:
http://securephp.damonkohler.com/index.php/Email_Injection
Hope this helps!

Take care,
Billy Reisinger


On Sep 11, 2005, at 9:50 AM, Ken Robinson wrote:

> At 09:34 AM 9/11/2005, Rolan Yang wrote:
>
>> A few of my web based feedback (contact.php) scripts have been  
>> getting
>> hammered with some sort of  spam or bot net attack over the past  
>> week.
>> The scripts are running on different servers at different web  
>> hosts, but
>> the garbage coming in has been the same. The "from" field is  
>> filled in
>> with random lower case letters like "kljaogr at domain.com" where  
>> "domain"
>> is the website address. The body field contains the same email  
>> address.
>>
>> Sometimes "Content-Type: multipart/mixed;
>> boundary=\"===============083392.."
>> is appended to the email address in both the "from:" field and  
>> also the
>> body.
>>
>> The submissions are coming from different ip's all over the world.
>> Has anyone else been experiencing anything similar?
>>
>
> Yes. I use the following function
>
> function checkit($name) {
>      return(str_replace(array("\r", "\n", "%OA", "%oa", "%OD", "%od",
> "Content-Type:","BCC:","bcc:"), "", $name));
> }
>
> to render their attempts harmless.
>
> I use the above function with:
>
> $from = '"' . stripslashes(checkit($_POST['contactname'])) . '" <' .
> stripslashes(checkit($_POST['Email'])) . '>';
> $to = "kenrbnsn at kis-web-design.com";
> $headers = "From: " . $from . "\r\n";
> $headers .= "Reply-To: " . stripslashes(checkit($_POST['Email'])) .  
> "\r\n\r\n";
> @mail($to, "Subject goes here", $mail_body, $headers);
>
> They are still trying, but they aren't succeeding to do anything
> malicious. One of the attempts even but their code in my message
> textarea, which wouldn't have done anything anyway since it was in
> the body of the mail message.
>
> Ken
>
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
>
>
>



From rajlist at rajshekhar.net  Sun Sep 11 11:16:11 2005
From: rajlist at rajshekhar.net (Raj Shekhar)
Date: Sun, 11 Sep 2005 20:46:11 +0530
Subject: [nycphp-talk] PHPWiki
In-Reply-To: <43242A1B.4050102@magpie.com>
References: <43242A1B.4050102@magpie.com>
Message-ID: <43244A3B.9020707@rajshekhar.net>

in infinite wisdom Steve Manes spoke thus  On 09/11/2005 06:29 PM:

> Is v1.3 not ready for prime time or does it require PHP5?  The 
> installation docs are somewhat byzantine.  Is there a better PHP 
> alternative to PHPWiki?

I have had good success in running PmWiki.
http://rajshekhar.net/content/view/24/26/ .  I also liked MediaWiki -
though it requires a bit more resources.  If you have a caching engine,
then you will get a better performance.

Both of these are in PHP

-- 
Raj Shekhar		           Y!IM : lunatech3007
blog : http://rajshekhar.net/blog  home : http://rajshekhar.net
Disclaimer : http://rajshekhar.net/disclaimer


From tom at supertom.com  Sun Sep 11 11:51:20 2005
From: tom at supertom.com (Tom)
Date: Sun, 11 Sep 2005 11:51:20 -0400
Subject: [nycphp-talk] PEAR help
In-Reply-To: <1126394267.9586.242623311@webmail.messagingengine.com>
Message-ID: <0IMN001ERSGPPC00@mta6.srv.hcvlny.cv.net>

Hi Lee,


I haven't used XAMPP in a while, but from what I remember: In the php
directory, there is the go-pear.bat file, run that and it will get you
started.

Yes, you can use pear from the DOD command-line, and it will install
packages for you.  I don't think you'll have to change your ENV any more
than the provided scripts already do, but you may need to change your
include directory in your php.ini, but I doubt it.

Tom

http://www.liphp.org

 

-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of leegold
Sent: Saturday, September 10, 2005 7:18 PM
To: talk at lists.nyphp.org
Subject: [nycphp-talk] PEAR help

XAMPP works great. 
I now want to get PEAR working. Using Win2K...

How do I install PEAR? - of course I see the PEAR folder in xampp but isn't
there a bit more I have to do?
Do I have to edit my PATH env. var?
Do I have to run a .bat to activate PEAR?
PEAR will work from my DOS CMD line is this true?
So I need to get it working and the test will be I'll download some PEAR
packages...

Thanks,
Lee G.
_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org




From lists at zaunere.com  Sun Sep 11 13:24:41 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Sun, 11 Sep 2005 13:24:41 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <4324326A.8060307@omnistep.com>
Message-ID: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>



Rolan Yang wrote on Sunday, September 11, 2005 9:35 AM:
> A few of my web based feedback (contact.php) scripts have been getting
> hammered with some sort of  spam or bot net attack over the past week.
> The scripts are running on different servers at different web hosts, but
> the garbage coming in has been the same. The "from" field is filled in
> with random lower case letters like "kljaogr at domain.com" where "domain"
> is the website address. The body field contains the same email address.
> 
> Sometimes "Content-Type: multipart/mixed;
> boundary=\"===============083392.."
> is appended to the email address in both the "from:" field and also the
> body.
> 
> The submissions are coming from different ip's all over the world.
> Has anyone else been experiencing anything similar?

Yeah - I've been seeing it over the last couple of weeks.

It's a particularly ingenuous method of taking advantage of primarily the MIME standard.  I typically look for the string 'Content-Type:' in any submitted fields, and if it's found, the script records the IP and notifies me.

Since it's my understanding that the exploitation can't happen without the use of Content-Type: (the MIME header that dictates part of a message's structure), something like this has worked well:

foreach( $form_fields as $value )
{
  if( stripos($value,'Content-Type:') !== FALSE )
  {
    mail('admin at my.com','Spam Attempt',$_SERVER['REMOTE_ADDR']);
    exit("{$_SERVER['REMOTE_ADDR']} Has been Recorded");
  }
}

Of course complete input filtering might be the better solution to this.

This is a particularly clever way of exploiting multiple technologies.  I would argue that there is nothing broken in PHP or MIME.  Rather, it's the combination of seemingly innocuous behaviors that create an exploitable situation.


---
Hans Zaunere / President / New York PHP
  www.nyphp.org  /  www.nyphp.com




From dmintz at davidmintz.org  Sun Sep 11 15:07:57 2005
From: dmintz at davidmintz.org (David Mintz)
Date: Sun, 11 Sep 2005 15:07:57 -0400 (EDT)
Subject: [nycphp-talk] PDF mailing labels in PHP 5 (will have to wait...)
In-Reply-To: <4321FDA9.7030009@phpwerx.net>
References: <Pine.BSF.4.58.0509091631110.69604@emra.pair.com>
	<4321FDA9.7030009@phpwerx.net>
Message-ID: <Pine.BSF.4.58.0509111502220.12172@emra.pair.com>


Thanks to all for the feedback. I think I will try Dan Cech's suggestion.
Note to Tim G., yes the fonts are in the right location.

More urgently, I have a couple of contact.php type scripts of my own to
harden up because I am getting hit by this latest nuisance -- lucky for me
there is this list where I didn't even have to ask to find some answers.
So thanks to people on that thread, too. Damn that vicious little bot.

On Fri, 9 Sep 2005, Dan Cech wrote:

> I have used the pdf class extensively under php4, but not php5.
>
> I'd definitely spend a little time trying to figure out exactly what is
> going wrong in php5, as it seems this wonderful class is receiving very
> little of the love it deserves at present.
>
> To get some idea of why the output may be munged, you could try using
> this debugging code:
>
> // debugging
> $pdf->ezText("\n\n".$pdf->messages,10,array('justification'=>'left'));
> $pdfcode = $pdf->output(1);
> $pdfcode = str_replace("\n","<br />\n",htmlspecialchars($pdfcode));
> echo '<html><body>';
> echo trim($pdfcode);
> echo '</body></html>';
> exit();


---
David Mintz
http://davidmintz.org/


From rolan at omnistep.com  Sun Sep 11 15:57:35 2005
From: rolan at omnistep.com (Rolan Yang)
Date: Sun, 11 Sep 2005 15:57:35 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>
References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>
Message-ID: <43248C2F.8030006@omnistep.com>

Thanks everyone for your help. I checked my web logs and it does indeed 
appear that the script was exploitable. Lucky for me, the only 
unauthorized email was sent to "jrubin3546 at aol.com" That email appears 
to be a probe used by the spambot to verify exploitable websites. I 
would imagine the hacker wrote some sort of script that queried google 
for "contactphp" or "feedback.php", harvested the results into a list 
which was then sent out to a botnet to probe for vulnerable scripts and 
collect the results via a list of free aol accounts. Do a search for the 
email above on google and you will find thousands of results. Many of 
them are the results in blog/feedback pages in which attempts have been 
made to hack them.

There should be a large warning put out about this (perhaps I missed the 
bulletin?). I have not seen any spam being sent out from my servers, but 
I'm sure in time the hacker/spammer will do so.

~Rolan


From rolan at omnistep.com  Sun Sep 11 23:51:46 2005
From: rolan at omnistep.com (Rolan Yang)
Date: Sun, 11 Sep 2005 23:51:46 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <43248C2F.8030006@omnistep.com>
References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>
	<43248C2F.8030006@omnistep.com>
Message-ID: <4324FB52.5010806@omnistep.com>

One more hint to all:

 If you are hosting php scripts for other people, or simply have too 
many to comb through on your own server(s), grep your mail server log 
for "jrubin3546 at aol.com".  If you see any results, cross reference that 
time with your web logs to locate the exploitable script.

~Rolan


From jsiegel1 at optonline.net  Mon Sep 12 06:44:48 2005
From: jsiegel1 at optonline.net (Jeff Siegel)
Date: Mon, 12 Sep 2005 06:44:48 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <4324FB52.5010806@omnistep.com>
Message-ID: <0IMP00BBC9UP4200@mta6.srv.hcvlny.cv.net>

An FYI. On all of my website login pages, I have my script email me all of
the global variables (i.e., $GLOBALS) when someone fails to log in. I've
received emails from my error handler similar to those like the "jrubin"
one. The point is that whatever bot is running, it seems to be trying to
inject its dastardly code into any PHP form it finds.

Jeff



-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Rolan Yang
Sent: Sunday, September 11, 2005 10:52 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] worm/virus's hammering feedback scripts?

One more hint to all:

 If you are hosting php scripts for other people, or simply have too 
many to comb through on your own server(s), grep your mail server log 
for "jrubin3546 at aol.com".  If you see any results, cross reference that 
time with your web logs to locate the exploitable script.

~Rolan
_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org



From chsnyder at gmail.com  Mon Sep 12 08:04:56 2005
From: chsnyder at gmail.com (csnyder)
Date: Mon, 12 Sep 2005 08:04:56 -0400
Subject: [nycphp-talk] PHPWiki
In-Reply-To: <43242A1B.4050102@magpie.com>
References: <43242A1B.4050102@magpie.com>
Message-ID: <b762526905091205044def6d8a@mail.gmail.com>

On 9/11/05, Steve Manes <smanes at magpie.com> wrote:

> Is v1.3 not ready for prime time or does it require PHP5?  The
> installation docs are somewhat byzantine.  Is there a better PHP
> alternative to PHPWiki?

I'll second Tom's suggestion of MediaWiki. 

PHPWiki worked fine for me until I tried to upgrade to PHP5, which was
extremely unpleasant.


-- 
Chris Snyder
http://chxo.com/


From lists at zaunere.com  Mon Sep 12 08:38:17 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Mon, 12 Sep 2005 08:38:17 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <4324FB52.5010806@omnistep.com>
Message-ID: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>



Rolan Yang scribbled on Sunday, September 11, 2005 11:52 PM:
> One more hint to all:
> 
>  If you are hosting php scripts for other people, or simply have too
> many to comb through on your own server(s), grep your mail server log
> for "jrubin3546 at aol.com".  If you see any results, cross reference
> that time with your web logs to locate the exploitable script.

Another address I've seen is mhkoch321 at aol.com

Rolan, and I think you're right about this problem not getting enough
exposure.  If you can write-up a couple of paragraphs about it, I'll post it
on nyphp.org's frontpage.


---
Hans Zaunere / President / New York PHP
  www.nyphp.org  /  www.nyphp.com




From krook at us.ibm.com  Mon Sep 12 09:32:02 2005
From: krook at us.ibm.com (Daniel Krook)
Date: Mon, 12 Sep 2005 09:32:02 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>
Message-ID: <OF5DF984F9.3FB9FD24-ON8525707A.0049C9FA-8525707A.004A5324@us.ibm.com>

> It's a particularly ingenuous method of taking advantage 
> of primarily the MIME standard.  I typically look for the 
> string 'Content-Type:' in any submitted fields, and if 
> it's found, the script records the IP and notifies me.

This is important, I found injections in ALL my fields, not just the 
obvious textarea fields.  Hidden and regular text boxes have been used as 
well, since this attack is automated and doesn't function as a normal 
browser would.


> Since it's my understanding that the exploitation can't 
> happen without the use of Content-Type: (the MIME header 
> that dictates part of a message's structure), something 
> like this has worked well:
> 
> foreach( $form_fields as $value )
> {
>   if( stripos($value,'Content-Type:') !== FALSE )
>   {
>     mail('admin at my.com','Spam Attempt',$_SERVER['REMOTE_ADDR']);
>     exit("{$_SERVER['REMOTE_ADDR']} Has been Recorded");
>   }
> }
> 

A PHP4 version of the above looks something like this, and seems to work:

if (strpos(strtolower($someField), 'content-type:') !== false) {
        mail('admin at example.net', 'Spam attempt from example.net', 
$_SERVER['REMOTE_ADDR']);
} else {
        mail('customerservice at example.net', 'Customer submission from 
example.net', $msg, $headers);
}


> Of course complete input filtering might be the better 
> solution to this.

Agreed.




Daniel Krook, Advisory IT Specialist 
Application Development, Production Services - Tools, ibm.com

Personal: http://info.krook.org/
BluePages: http://bluepages.redirect.webahead.ibm.com/
BlogPages: http://blogpages.redirect.webahead.ibm.com/



From mail at billyreisinger.com  Mon Sep 12 09:55:59 2005
From: mail at billyreisinger.com (Billy Reisinger)
Date: Mon, 12 Sep 2005 09:55:59 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>
References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>
Message-ID: <432588EF.6040409@billyreisinger.com>

I think it is important to note that the attacker(s) are probably using 
many email addresses, and that everyone should start checking their 
input fields to make sure that MIME headers aren't being injected into 
their mail scripts.
Cheers,
Billy Reisinger

Hans Zaunere wrote:

>Rolan Yang scribbled on Sunday, September 11, 2005 11:52 PM:
>  
>
>>One more hint to all:
>>
>> If you are hosting php scripts for other people, or simply have too
>>many to comb through on your own server(s), grep your mail server log
>>for "jrubin3546 at aol.com".  If you see any results, cross reference
>>that time with your web logs to locate the exploitable script.
>>    
>>
>
>Another address I've seen is mhkoch321 at aol.com
>
>Rolan, and I think you're right about this problem not getting enough
>exposure.  If you can write-up a couple of paragraphs about it, I'll post it
>on nyphp.org's frontpage.
>
>
>---
>Hans Zaunere / President / New York PHP
>  www.nyphp.org  /  www.nyphp.com
>
>
>_______________________________________________
>New York PHP Talk Mailing List
>AMP Technology
>Supporting Apache, MySQL and PHP
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.nyphp.org
>
>
>
>  
>



From shiflett at php.net  Mon Sep 12 10:05:05 2005
From: shiflett at php.net (Chris Shiflett)
Date: Mon, 12 Sep 2005 10:05:05 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <OF5DF984F9.3FB9FD24-ON8525707A.0049C9FA-8525707A.004A5324@us.ibm.com>
References: <OF5DF984F9.3FB9FD24-ON8525707A.0049C9FA-8525707A.004A5324@us.ibm.com>
Message-ID: <43258B11.6040707@php.net>

Daniel Krook wrote:
> This is important, I found injections in ALL my fields, not just the
> obvious textarea fields. Hidden and regular text boxes have been used
> as well, since this attack is automated and doesn't function as a
> normal browser would.

Having just written a penetration testing tool, I can say that an 
application's HTML is the perfect blueprint for an attack. It's pretty 
trivial to collect a list of URLs within an application. With that list, 
you simply search for all links and forms that point to each URL (not 
one pass per URL, but you get the idea), and you collect a list of 
variable names that are expected by each script. It doesn't matter what 
the interface to the user is.

With such a list, you can pretty much do whatever you please - you can 
even try injecting content into each variable name as a variety of types 
- GET data, POST data, cookies, etc.

So, as developers, we must necessarily give away a lot of information 
about our applications. This makes our job even harder.

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/


From chsnyder at gmail.com  Mon Sep 12 11:06:47 2005
From: chsnyder at gmail.com (csnyder)
Date: Mon, 12 Sep 2005 11:06:47 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <43258B11.6040707@php.net>
References: <OF5DF984F9.3FB9FD24-ON8525707A.0049C9FA-8525707A.004A5324@us.ibm.com>
	<43258B11.6040707@php.net>
Message-ID: <b7625269050912080629c5a7ce@mail.gmail.com>

On 9/12/05, Chris Shiflett <shiflett at php.net> wrote:

> With such a list, you can pretty much do whatever you please - you can
> even try injecting content into each variable name as a variety of types
> - GET data, POST data, cookies, etc.
> 
> So, as developers, we must necessarily give away a lot of information
> about our applications. This makes our job even harder.

The web is the most insecure environment ever invented for
applications. Your entire *public* interface is transparently exposed
to any and all attackers, both human and scripted, 24x7 worldwide.

Spam bots like the one described in this thread are just the
beginning, I think. Sorry for the fear-mongering, what can PHP do to
protect us?

A simpler mail() function would be a great start. Something like:

text_mail( $to, $from, $subject, $body )

 - strip MIME injection from all inputs
 - strip /r and /n from all but the body
 - strip_tags( $body )

This would address (almost?) everything that contact.php and
feedback.php builders need from an email function.

Or if that's too limited, use an array for $headers and build them
from each element in the array, stripped of \r and \n.


-- 
Chris Snyder
http://chxo.com/


From rolan at omnistep.com  Mon Sep 12 11:16:18 2005
From: rolan at omnistep.com (Rolan Yang)
Date: Mon, 12 Sep 2005 11:16:18 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>
References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>
Message-ID: <43259BC2.4050604@omnistep.com>

Hans Zaunere wrote:

>Another address I've seen is mhkoch321 at aol.com
>
>Rolan, and I think you're right about this problem not getting enough
>exposure.  If you can write-up a couple of paragraphs about it, I'll post it
>on nyphp.org's frontpage.
>
Ok, here's the bulletin. If anyone would like to polish it up, feel free 
to do so. I'm not good at writing this stuff.

Problem:
Bot-net scanning underway to detect and log php scripts which are 
vulnerable to a email header injection exploit.

What is vulnerable:
PHP scripts which send email based on cgi input data should be inspected 
for the vulnerability.

Discussion:
A large scale distributed network of machines are currently being 
employed to scan php based websites in search of scripts which are 
vulnerable to a injection-style security exploit. The exploit permits an 
attacker to send emails to arbitrary destinations. A common target is 
the web based feedback form which submits an email to a designated 
address, but could be any form which results in an email being sent.  
The method used to exploit the vulnerability is by injection of email 
headers into cgi form fields which are passed to the mail server. The 
mail server then parses the headers and sends the email to the 
address(es) designated in the maliciously injected headers.

Exploit:
The bot-net script currently probes vulnerable scripts by injecting 
malicious headers into cgi form fields. The headers forward an email 
response to one of several target email address to which the hacker has 
access. We assume the attacker is collecting a list of vulnerable sites 
which may be used later as an open relay for spam or  large scale 
deployment of viruses/worms.

For more information about the attack, please refer to:
http://securephp.damonkohler.com/index.php/Email_Injection (thank's to 
Billy Reisinger for the link)

A google search for the target emails reveals that scans have been 
taking place since at least July 8, 2005

Detection and Solution:
The current bot-net probe is known to send its reply to one of several 
known email addresses on the following list.

Grep through your mail server logs for the list of emails. If any are 
found, cross reference the time of the mailing to times in your web 
server logs to help determine the exploitable script.

grep -f exploitemails.txt /var/log/maillog (or wherever your mail log is 
located)

Vulnerable scripts should be modified to properly filter input fields. 
Ken Robinson has posted a
php example at: 
http://lists.nyphp.org/pipermail/talk/2005-September/016124.html

To follow the mailing list thread on this topic, please visit:
http://lists.nyphp.org/pipermail/talk/2005-September/thread.html#16123

(we should build a list of these emails and publish them along with this 
notification)

Current list:
jrubin3546 at aol.com
mkoch321 at aol.com
wnacyiplay at aol.com
kshmng at aol.com
Homeiragtime at aol.com
bergkoch8 at aol.com

~Rolan Yang


From michael.southwell at nyphp.org  Mon Sep 12 12:15:21 2005
From: michael.southwell at nyphp.org (Michael Southwell)
Date: Mon, 12 Sep 2005 12:15:21 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts? POLISHED
 VERSION
In-Reply-To: <43259BC2.4050604@omnistep.com>
References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>
	<43259BC2.4050604@omnistep.com>
Message-ID: <6.2.3.4.2.20050912120926.0244d060@mail.optonline.net>

I polished this up a bit.

IMPORTANT:  Ken's original function did not work in my testing, 
because (1) the \ in \r and \n needed to be escaped, and (2) he had 
the letter O instead of the numeral 0 in the hex numbers.  Somebody 
smarter than I am, please check carefully the modified version included below.
===========================

Problem:
Bot-net scanning to locate php scripts which are vulnerable to a email
header injection exploit. All PHP scripts which send email based on
input data are vulnerable.

Discussion:
A large scale distributed network of machines is currently being
employed to scan php-based websites in search of scripts which are
vulnerable to an injection-style security exploit. The exploit permits
an attacker to send emails to arbitrary destinations. A common target
is the kind of web-based feedback form which submits an email to a
designated address, but any form which results in an email being sent
could be vulnerable. The bot-net script injects malicious email
headers into the form's fields, which are then passed to the mail server.
The mail server parses those headers and then sends email to the
address designated in the maliciously injected headers. We assume the
attacker is collecting a list of vulnerable sites which may be used
later as an open relay for spam or large scale deployment of
viruses/worms.

For more information about the attack, see
http://securephp.damonkohler.com/index.php/Email_Injection

(Thanks to Billy Reisinger for this link.)

A Google search for the injected email addresses reveals that scans have been
taking place since at least July 8, 2005

Detection and Solution:
The current bot-net probe is known to send its reply to one of several
known email addresses on the following list (current as of this writing:
jrubin3546 at aol.com
mkoch321 at aol.com
wnacyiplay at aol.com
kshmng at aol.com
Homeiragtime at aol.com
bergkoch8 at aol.com

Grep through your mail server logs for the list of emails, using a 
command something like this:

grep -f exploitaddresses.lst /var/log/maillog (or wherever your mail 
log is located)

If any are found, cross reference the time of the mailing to times in
your web server logs to help determine the exploitable script. Modify
any such scripts to properly filter input fields, with a function
something like this:

function safe( $name ) {
   return( str_replace(
     array( "\\r", "\\n", "%0A", "%0a", "%0D", "%0d", 
"Content-Type:", "BCC:", "bcc:" ),
     "", $name ) );
}

(Thanks to Ken Robinson for the original version of this function.)

To follow the mailing list thread on this topic, see
http://lists.nyphp.org/pipermail/talk/2005-September/thread.html#16123


Michael Southwell, Vice President for Education
New York PHP
http://www.nyphp.com/training - In-depth PHP Training Courses 



From danielc at analysisandsolutions.com  Mon Sep 12 12:20:18 2005
From: danielc at analysisandsolutions.com (Daniel Convissor)
Date: Mon, 12 Sep 2005 12:20:18 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <OF5DF984F9.3FB9FD24-ON8525707A.0049C9FA-8525707A.004A5324@us.ibm.com>
	<43259BC2.4050604@omnistep.com>
References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>
	<OF5DF984F9.3FB9FD24-ON8525707A.0049C9FA-8525707A.004A5324@us.ibm.com>
	<0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>
	<43259BC2.4050604@omnistep.com>
Message-ID: <20050912162018.GA22938@panix.com>

Hey Folks:

On Mon, Sep 12, 2005 at 11:16:18AM -0400, Rolan Yang wrote:

> Detection and Solution:
> The current bot-net probe is known to send its reply to one of several 
> known email addresses on the following list.

A list of addresses is the wrong approach.  The email addresses are 
variable and easy to change.  More importantly, the content is the issue, 
not the email address.


> Vulnerable scripts should be modified to properly filter input fields. 
> Ken Robinson has posted a
> php example at: 
> http://lists.nyphp.org/pipermail/talk/2005-September/016124.html

That solution is less than perfect.  First, it's case sensitive, so misses 
things like "BcC", meaning str_ireplace() would be better.  Second, it 
catches things that don't need to be.

The mere existence of "content-type" or "bcc" in the inputs isn't a 
problem.  The danger is having those at the beginning of a line and only 
in fields that get put into the email headers.  So, this vulnerability can 
be solved by removing white space characters other than regular spaces 
from any field going into the email headers.  Or better yet, only allowing 
letters, numbers, spaces and a few punctuation type characters.

Non Issue:
$var = "Content-type: crack";
$subject = "Subject: $var";

Real Issue:
$var = "You're about to be cracked\r\nContent-type: crack";
$subject = "Subject: $var";

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409


From edwardpotter at gmail.com  Mon Sep 12 12:29:12 2005
From: edwardpotter at gmail.com (edward potter)
Date: Mon, 12 Sep 2005 12:29:12 -0400
Subject: [nycphp-talk] PHPWiki
In-Reply-To: <b762526905091205044def6d8a@mail.gmail.com>
References: <43242A1B.4050102@magpie.com>
	<b762526905091205044def6d8a@mail.gmail.com>
Message-ID: <c5949a3805091209294d469905@mail.gmail.com>

i'm also a covert to MediaWiki. I would LOVE to see an O'Reilly book on 
MediaWiki __ the code is super-tight, hardcore php and it usually takes me 
an afternoon just to figure what a procedure may be doing (kinda of like 
osCommerce). 

I was wondering if anyone has come across a good Programmers Guide to 
MediaWiki, yes i've googled it, have some links, but still kinda of piece 
meal.

thanks, ed 

On 9/12/05, csnyder <chsnyder at gmail.com> wrote:
> 
> On 9/11/05, Steve Manes <smanes at magpie.com> wrote:
> 
> > Is v1.3 not ready for prime time or does it require PHP5? The
> > installation docs are somewhat byzantine. Is there a better PHP
> > alternative to PHPWiki?
> 
> I'll second Tom's suggestion of MediaWiki.
> 
> PHPWiki worked fine for me until I tried to upgrade to PHP5, which was
> extremely unpleasant.
> 
> 
> --
> Chris Snyder
> http://chxo.com/
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050912/8f7e14ce/attachment.html>

From michael.southwell at nyphp.org  Mon Sep 12 12:41:12 2005
From: michael.southwell at nyphp.org (Michael Southwell)
Date: Mon, 12 Sep 2005 12:41:12 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <20050912162018.GA22938@panix.com>
References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>
	<OF5DF984F9.3FB9FD24-ON8525707A.0049C9FA-8525707A.004A5324@us.ibm.com>
	<0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>
	<43259BC2.4050604@omnistep.com> <20050912162018.GA22938@panix.com>
Message-ID: <6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net>

At 12:20 PM 9/12/2005, you wrote:
>Hey Folks:
>
>On Mon, Sep 12, 2005 at 11:16:18AM -0400, Rolan Yang wrote:
>
> > Detection and Solution:
> > The current bot-net probe is known to send its reply to one of several
> > known email addresses on the following list.
>
>A list of addresses is the wrong approach.  The email addresses are
>variable and easy to change.  More importantly, the content is the issue,
>not the email address.

The point is simply to identify which scripts have sent emails to the 
known-bad addresses; those are the vulnerable ones.



> > Vulnerable scripts should be modified to properly filter input fields.
> > Ken Robinson has posted a
> > php example at:
> > http://lists.nyphp.org/pipermail/talk/2005-September/016124.html
>
>That solution is less than perfect.  First, it's case sensitive, so misses
>things like "BcC", meaning str_ireplace() would be better.  Second, it
>catches things that don't need to be.

There were other problems as well, which I noted in my polished 
version.  We need an officially sanctioned version of the function 
before we can post anything.


>The mere existence of "content-type" or "bcc" in the inputs isn't a
>problem.  The danger is having those at the beginning of a line and only
>in fields that get put into the email headers.  So, this vulnerability can
>be solved by removing white space characters other than regular spaces
>from any field going into the email headers.  Or better yet, only allowing
>letters, numbers, spaces and a few punctuation type characters.

Michael Southwell, Vice President for Education
New York PHP
http://www.nyphp.com/training - In-depth PHP Training Courses 



From lists at zaunere.com  Mon Sep 12 13:31:32 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Mon, 12 Sep 2005 13:31:32 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <43259BC2.4050604@omnistep.com>
Message-ID: <0MKoyl-1EEs9W42VD-0003yN@mrelay.perfora.net>


This is great Rolan, many thanks - I'll get it online right away...

H


Rolan Yang scribbled on Monday, September 12, 2005 11:16 AM:
> Hans Zaunere wrote:
> 
> > Another address I've seen is mhkoch321 at aol.com
> > 
> > Rolan, and I think you're right about this problem not getting
> > enough exposure.  If you can write-up a couple of paragraphs about
> > it, I'll post it on nyphp.org's frontpage. 
> > 
> Ok, here's the bulletin. If anyone would like to polish it up, feel
> free to do so. I'm not good at writing this stuff.
> 
> Problem:
> Bot-net scanning underway to detect and log php scripts which are
> vulnerable to a email header injection exploit.
> 
> What is vulnerable:
> PHP scripts which send email based on cgi input data should be
> inspected for the vulnerability.
> 
> Discussion:
> A large scale distributed network of machines are currently being
> employed to scan php based websites in search of scripts which are
> vulnerable to a injection-style security exploit. The exploit permits
> an attacker to send emails to arbitrary destinations. A common target
> is the web based feedback form which submits an email to a designated
> address, but could be any form which results in an email being sent.
> The method used to exploit the vulnerability is by injection of email
> headers into cgi form fields which are passed to the mail server. The
> mail server then parses the headers and sends the email to the
> address(es) designated in the maliciously injected headers.
> 
> Exploit:
> The bot-net script currently probes vulnerable scripts by injecting
> malicious headers into cgi form fields. The headers forward an email
> response to one of several target email address to which the hacker
> has access. We assume the attacker is collecting a list of vulnerable
> sites which may be used later as an open relay for spam or  large
> scale deployment of viruses/worms.
> 
> For more information about the attack, please refer to:
> http://securephp.damonkohler.com/index.php/Email_Injection (thank's to
> Billy Reisinger for the link)
> 
> A google search for the target emails reveals that scans have been
> taking place since at least July 8, 2005
> 
> Detection and Solution:
> The current bot-net probe is known to send its reply to one of several
> known email addresses on the following list.
> 
> Grep through your mail server logs for the list of emails. If any are
> found, cross reference the time of the mailing to times in your web
> server logs to help determine the exploitable script.
> 
> grep -f exploitemails.txt /var/log/maillog (or wherever your mail log
> is located)
> 
> Vulnerable scripts should be modified to properly filter input fields.
> Ken Robinson has posted a
> php example at:
> http://lists.nyphp.org/pipermail/talk/2005-September/016124.html
> 
> To follow the mailing list thread on this topic, please visit:
> http://lists.nyphp.org/pipermail/talk/2005-September/thread.html#16123
> 
> (we should build a list of these emails and publish them along with
> this notification)
> 
> Current list:
> jrubin3546 at aol.com
> mkoch321 at aol.com
> wnacyiplay at aol.com
> kshmng at aol.com
> Homeiragtime at aol.com
> bergkoch8 at aol.com
> 
> ~Rolan Yang
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org



From lists at zaunere.com  Mon Sep 12 13:31:32 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Mon, 12 Sep 2005 13:31:32 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <b7625269050912080629c5a7ce@mail.gmail.com>
Message-ID: <0MKoyl-1EEs9Z0ZJR-0003yN@mrelay.perfora.net>



csnyder scribbled on Monday, September 12, 2005 11:07 AM:
> On 9/12/05, Chris Shiflett wrote:
> 
> > With such a list, you can pretty much do whatever you please - you
> > can even try injecting content into each variable name as a variety
> > of types - GET data, POST data, cookies, etc.
> > 
> > So, as developers, we must necessarily give away a lot of
> > information about our applications. This makes our job even harder.

It's the nature of the beast and shouldn't be feared - a good Internet
developer should always assume that their application will be exposed to
unexpected circumstances.  And especially in a web environment, it should
always be assumed that the most common of the unexpected circumstances will
be direct/raw access to the application, ie, not using a browser.

> The web is the most insecure environment ever invented for
> applications. Your entire *public* interface is transparently exposed
> to any and all attackers, both human and scripted, 24x7 worldwide.
> 
> Spam bots like the one described in this thread are just the
> beginning, I think. Sorry for the fear-mongering, what can PHP do to
> protect us?

I'm not sure it's PHP's responsibility.  Is it C's responsibility that you
don't overstep memory bounds?  Sure, some will argue that it is, and while
this is more a matter of opinion, I'm of the school that a language should
provide the tools, and let the developer be responsible for the
implementation.  Many times, these tools should be available as a library,
rather than the language itself.  From past PHP features - like magic quotes
and register globals - I think we've seen that language supplied convenience
can be more of a hindrance, than an aid.  There's a fine line between the
language itself doing something, and the library that does something (thus
the moving of many PHP extensions from the core language into PECL).

A web developer has to understand that their application isn't subject to
access solely through a browser.  Countless times I've seen lights go off in
people's heads when I've asked "what would happen if I telnet into your web
server and start sending HTTP crafted headers?"  The lights are often
followed by open eyes and then intense code work :)


---
Hans Zaunere / President / New York PHP
   www.nyphp.org  /  www.nyphp.com




From dmintz at davidmintz.org  Mon Sep 12 14:24:07 2005
From: dmintz at davidmintz.org (David Mintz)
Date: Mon, 12 Sep 2005 14:24:07 -0400 (EDT)
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <43248C2F.8030006@omnistep.com>
References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>
	<43248C2F.8030006@omnistep.com>
Message-ID: <Pine.BSF.4.58.0509111619520.17701@emra.pair.com>


I am a little confused about how my contact.php has been abused, or
whether the attack actually succeeded or just annoyed me.

There are fields for contact data such as phone number etc but these are
validated and then end up as part of the message body.

The To (site owner, and me) and Subject headers are hard-coded.  The
user-supplied email goes into Reply-to header as a convenience to the
ultimate human receiver. However, that email is validated against this
regex by HTML_QuickForm:

/^((\"[^\"\f\n\r\t\v\b]+\")|([\w\!\#\$\%\&\'\*\+\-\~\/\^\`\|\{\}]+(\.[\w\!\#\$\%\&\'\*\+\-\~\/\^\`\|\{\}]+)*))@((\[(((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9])))\])|(((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9])))|((([A-Za-z0-9\-])+\.)+[A-Za-z\-]+))$/


It isn't optimized for readability but I really don't think you can slip
newlines and "\r\nCc: whatever at example.org" and 'Content-type:...' in
there. Messages come to me like the following (site domain name changed
for discretion's sake). I looks like the nasty part only made it into the
message body. Does this nevertheless mean the mail function actually sent
mail to the now famous jrubin3546 at aol.com?

Date: 11 Sep 2005 16:55:58 -0000
From: webmaster at example.org
Reply-To: jkbfi at example.org
To: site-owner at example.org, dmintz at davidmintz.org
Subject: EXAMPLE Mailing List

The following request to be added to the EXAMPLE mailing list was
submitted via EXAMPLE.org on 11-Sep-2005 at 12:55 pm

jkbfi at example.org, jkbfi at example.org jkbfi at example.org
Content-Type: multipart/mixed; boundary="===============2144621942=="
MIME-Version: 1.0
Subject: a29babd0
To: jkbfi at example.org
bcc: jrubin3546 at aol.com
From: jkbfi at example.org

This is a multi-part message in MIME format.

--===============2144621942==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

bsmiaujtd
--===============2144621942==--
jkbfi at example.org
jkbfi at example.org
jkbfi at example.org
jkbfi at example.org
jkbfi at example.org, jkbfi at example.org jkbfi at example.org

Business phone jkbfi at example.org
Business fax   jkbfi at example.org
Cellular       jkbfi at example.org
Home phone     jkbfi at example.org
Email          jkbfi at example.org

[end example]

Meawhile I have hardened this script along the lines suggested by Hans Z
et al and started logging the state of the input after validation on every
invocation of the script, and these logs show that the bot is being
thwarted and the script is exiting harmlessly, so thank you very much.

I think it's time to propose some white-list style regexps instead of
trying to filter out the evil stuff (thanks Shiflett). For example, would
you agree that a proper name (of a person) in most any Western
European language ought to pass this test?

function checkProperName($name) {
    return preg_match("/[^a-zA-Z\xC0-\xFF .,'-]/",$name) == false;
}

---
David Mintz
http://davidmintz.org/


From danielc at analysisandsolutions.com  Mon Sep 12 14:35:30 2005
From: danielc at analysisandsolutions.com (Daniel Convissor)
Date: Mon, 12 Sep 2005 14:35:30 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net>
References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>
	<OF5DF984F9.3FB9FD24-ON8525707A.0049C9FA-8525707A.004A5324@us.ibm.com>
	<0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>
	<43259BC2.4050604@omnistep.com> <20050912162018.GA22938@panix.com>
	<6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net>
Message-ID: <20050912183529.GA1332@panix.com>

Hi Michael:

On Mon, Sep 12, 2005 at 12:41:12PM -0400, Michael Southwell wrote:
> At 12:20 PM 9/12/2005, you wrote:
>
> >A list of addresses is the wrong approach.  The email addresses are
> >variable and easy to change.  More importantly, the content is the issue,
> >not the email address.
> 
> The point is simply to identify which scripts have sent emails to the 
> known-bad addresses; those are the vulnerable ones.

I'm afraid that will lead people into both a false sense of security and 
using email address blacklists.  Folks should audit their email scripts, 
period.


> There were other problems as well, which I noted in my polished 
> version.  We need an officially sanctioned version of the function 
> before we can post anything.

Agreed.  Here's what I think is a good starting point for discussion...

<?php
// untested!!!!
// MUST do is_set() checks on all of these for first!
// left out for brevity.

if (eregi('^[a-z0-9_.=+-]+@([a-z0-9-]+\.)+([a-z]{2,6})$', $_POST['address'])) {
    $address = $_POST['address'];
} else {
    echo 'bad email';
    exit;
}

$name = eregi_replace("[^a-z .'-]", $_POST['name']);
$subject = eregi_replace("[^a-z .'-]", $_POST['subject']);
$message = htmlspecialchars($_POST['message']);

@mail('me at example.com', $subject, $message, "From: $name <$address>");
?>

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409


From mail at billyreisinger.com  Mon Sep 12 14:36:19 2005
From: mail at billyreisinger.com (Billy Reisinger)
Date: Mon, 12 Sep 2005 14:36:19 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <Pine.BSF.4.58.0509111619520.17701@emra.pair.com>
References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>	<43248C2F.8030006@omnistep.com>
	<Pine.BSF.4.58.0509111619520.17701@emra.pair.com>
Message-ID: <4325CAA3.4000304@billyreisinger.com>

Dear David:
The attacker only needs to slip a mail header in _any_ of the variables 
passed to mail(); not just a Reply-to: header.  In brief, this attack 
works due to a "feature" of MIME headers which allow you to have 
duplicate header entries (i.e. To:, Reply-to:, etc) in _any_order_ in 
the mail header.  In fact, the attacker can stop a mail message in the 
middle of the message body and begin an entirely new message!  For a 
more thorough (and cogent) explanation of this vulnerability, head on 
over to http://securephp.damonkohler.com/index.php/Email_Injection .  
It's kind of a funky problem to get your brain around.  I agree that the 
community needs some sort of standardized solution to squash this 
problem once and for all!

David Mintz wrote:

>I am a little confused about how my contact.php has been abused, or
>whether the attack actually succeeded or just annoyed me.
>
>There are fields for contact data such as phone number etc but these are
>validated and then end up as part of the message body.
>
>The To (site owner, and me) and Subject headers are hard-coded.  The
>user-supplied email goes into Reply-to header as a convenience to the
>ultimate human receiver. However, that email is validated against this
>regex by HTML_QuickForm:
>
>/^((\"[^\"\f\n\r\t\v\b]+\")|([\w\!\#\$\%\&\'\*\+\-\~\/\^\`\|\{\}]+(\.[\w\!\#\$\%\&\'\*\+\-\~\/\^\`\|\{\}]+)*))@((\[(((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9])))\])|(((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9])))|((([A-Za-z0-9\-])+\.)+[A-Za-z\-]+))$/
>
>
>It isn't optimized for readability but I really don't think you can slip
>newlines and "\r\nCc: whatever at example.org" and 'Content-type:...' in
>there. Messages come to me like the following (site domain name changed
>for discretion's sake). I looks like the nasty part only made it into the
>message body. Does this nevertheless mean the mail function actually sent
>mail to the now famous jrubin3546 at aol.com?
>
>Date: 11 Sep 2005 16:55:58 -0000
>From: webmaster at example.org
>Reply-To: jkbfi at example.org
>To: site-owner at example.org, dmintz at davidmintz.org
>Subject: EXAMPLE Mailing List
>
>The following request to be added to the EXAMPLE mailing list was
>submitted via EXAMPLE.org on 11-Sep-2005 at 12:55 pm
>
>jkbfi at example.org, jkbfi at example.org jkbfi at example.org
>Content-Type: multipart/mixed; boundary="===============2144621942=="
>MIME-Version: 1.0
>Subject: a29babd0
>To: jkbfi at example.org
>bcc: jrubin3546 at aol.com
>From: jkbfi at example.org
>
>This is a multi-part message in MIME format.
>
>--===============2144621942==
>Content-Type: text/plain; charset="us-ascii"
>MIME-Version: 1.0
>Content-Transfer-Encoding: 7bit
>
>bsmiaujtd
>--===============2144621942==--
>jkbfi at example.org
>jkbfi at example.org
>jkbfi at example.org
>jkbfi at example.org
>jkbfi at example.org, jkbfi at example.org jkbfi at example.org
>
>Business phone jkbfi at example.org
>Business fax   jkbfi at example.org
>Cellular       jkbfi at example.org
>Home phone     jkbfi at example.org
>Email          jkbfi at example.org
>
>[end example]
>
>Meawhile I have hardened this script along the lines suggested by Hans Z
>et al and started logging the state of the input after validation on every
>invocation of the script, and these logs show that the bot is being
>thwarted and the script is exiting harmlessly, so thank you very much.
>
>I think it's time to propose some white-list style regexps instead of
>trying to filter out the evil stuff (thanks Shiflett). For example, would
>you agree that a proper name (of a person) in most any Western
>European language ought to pass this test?
>
>function checkProperName($name) {
>    return preg_match("/[^a-zA-Z\xC0-\xFF .,'-]/",$name) == false;
>}
>
>---
>David Mintz
>http://davidmintz.org/
>_______________________________________________
>New York PHP Talk Mailing List
>AMP Technology
>Supporting Apache, MySQL and PHP
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.nyphp.org
>
>
>
>  
>



From mail at billyreisinger.com  Mon Sep 12 14:38:23 2005
From: mail at billyreisinger.com (Billy Reisinger)
Date: Mon, 12 Sep 2005 14:38:23 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <20050912183529.GA1332@panix.com>
References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>	<OF5DF984F9.3FB9FD24-ON8525707A.0049C9FA-8525707A.004A5324@us.ibm.com>	<0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>	<43259BC2.4050604@omnistep.com>
	<20050912162018.GA22938@panix.com>	<6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net>
	<20050912183529.GA1332@panix.com>
Message-ID: <4325CB1F.20602@billyreisinger.com>

This eregi() is a good start - but like I said in a previous post, ALL 
variables should be checked this way, including subject and message!  
The cruel nature of this hack is that it works anywhere in the mail() 
function. 
Cheers,
Billy Reisinger

Daniel Convissor wrote:

>Hi Michael:
>
>On Mon, Sep 12, 2005 at 12:41:12PM -0400, Michael Southwell wrote:
>  
>
>>At 12:20 PM 9/12/2005, you wrote:
>>
>>    
>>
>>>A list of addresses is the wrong approach.  The email addresses are
>>>variable and easy to change.  More importantly, the content is the issue,
>>>not the email address.
>>>      
>>>
>>The point is simply to identify which scripts have sent emails to the 
>>known-bad addresses; those are the vulnerable ones.
>>    
>>
>
>I'm afraid that will lead people into both a false sense of security and 
>using email address blacklists.  Folks should audit their email scripts, 
>period.
>
>
>  
>
>>There were other problems as well, which I noted in my polished 
>>version.  We need an officially sanctioned version of the function 
>>before we can post anything.
>>    
>>
>
>Agreed.  Here's what I think is a good starting point for discussion...
>
><?php
>// untested!!!!
>// MUST do is_set() checks on all of these for first!
>// left out for brevity.
>
>if (eregi('^[a-z0-9_.=+-]+@([a-z0-9-]+\.)+([a-z]{2,6})$', $_POST['address'])) {
>    $address = $_POST['address'];
>} else {
>    echo 'bad email';
>    exit;
>}
>
>$name = eregi_replace("[^a-z .'-]", $_POST['name']);
>$subject = eregi_replace("[^a-z .'-]", $_POST['subject']);
>$message = htmlspecialchars($_POST['message']);
>
>@mail('me at example.com', $subject, $message, "From: $name <$address>");
>?>
>
>--Dan
>
>  
>



From danielc at analysisandsolutions.com  Mon Sep 12 15:08:08 2005
From: danielc at analysisandsolutions.com (Daniel Convissor)
Date: Mon, 12 Sep 2005 15:08:08 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <4325CB1F.20602@billyreisinger.com>
	<4325CAA3.4000304@billyreisinger.com>
References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>
	<43259BC2.4050604@omnistep.com> <20050912162018.GA22938@panix.com>
	<6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net>
	<20050912183529.GA1332@panix.com>
	<4325CB1F.20602@billyreisinger.com>
	<0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>
	<43248C2F.8030006@omnistep.com>
	<Pine.BSF.4.58.0509111619520.17701@emra.pair.com>
	<4325CAA3.4000304@billyreisinger.com>
Message-ID: <20050912190808.GA21414@panix.com>

Hi Billy:

On Mon, Sep 12, 2005 at 02:36:19PM -0400, Billy Reisinger wrote:
> In fact, the attacker can stop a mail message in the 
> middle of the message body and begin an entirely new message!  For a 
> more thorough (and cogent) explanation of this vulnerability, head on 
> over to http://securephp.damonkohler.com/index.php/Email_Injection .  

Huh?!  Insert headers in the middle of the message body?!  That doesn't 
make sense to me.  I believe you're misinterpreting the article you 
mention.  Perhaps I misunderstand things, but the way I see it, I can 
write "Content-Type: <whatever>" in the middle of message until my fingers 
fall off and it won't have any impact.  The problem is inserting that into 
the headers.


On Mon, Sep 12, 2005 at 02:38:23PM -0400, Billy Reisinger wrote:
> This eregi() is a good start - but like I said in a previous post, ALL 
> variables should be checked this way, including subject and message!  
> The cruel nature of this hack is that it works anywhere in the mail() 
> function.

My (buggy, someone please fix it, I'm short on time now) pseudo-code 
clears invalid characters from the subject and name plus if the email 
address is bogus, halts execution.

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409


From dmintz at davidmintz.org  Mon Sep 12 15:10:19 2005
From: dmintz at davidmintz.org (David Mintz)
Date: Mon, 12 Sep 2005 15:10:19 -0400 (EDT)
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <4325CAA3.4000304@billyreisinger.com>
References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>
	<43248C2F.8030006@omnistep.com>
	<Pine.BSF.4.58.0509111619520.17701@emra.pair.com>
	<4325CAA3.4000304@billyreisinger.com>
Message-ID: <Pine.BSF.4.58.0509121507220.79811@emra.pair.com>

On Mon, 12 Sep 2005, Billy Reisinger wrote:

> The attacker only needs to slip a mail header in _any_ of the variables
> passed to mail(); not just a Reply-to: header.  In brief, this attack
> works due to a "feature" of MIME headers which allow you to have
> duplicate header entries (i.e. To:, Reply-to:, etc) in _any_order_ in
> the mail header.  In fact, the attacker can stop a mail message in the
> middle of the message body and begin an entirely new message!  For a
> more thorough (and cogent) explanation of this vulnerability, head on
> over to http://securephp.damonkohler.com/index.php/Email_Injection .
> It's kind of a funky problem to get your brain around.  I agree that the
> community needs some sort of standardized solution to squash this
> problem once and for all!

OK, thank you. The picture is getting clearer. I did look at that article
but did not read the whole thing thoroughly enough to pick up this
important point (my bad).

The takeaway seems to be:  always validate the hell out of everything no
matter what, period. Gee, sounds kind of familiar doesn't it.


---
David Mintz
http://davidmintz.org/


From chsnyder at gmail.com  Mon Sep 12 15:48:40 2005
From: chsnyder at gmail.com (csnyder)
Date: Mon, 12 Sep 2005 15:48:40 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <20050912190808.GA21414@panix.com>
References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>
	<20050912162018.GA22938@panix.com>
	<6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net>
	<20050912183529.GA1332@panix.com>
	<0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>
	<43248C2F.8030006@omnistep.com>
	<Pine.BSF.4.58.0509111619520.17701@emra.pair.com>
	<4325CB1F.20602@billyreisinger.com>
	<4325CAA3.4000304@billyreisinger.com>
	<20050912190808.GA21414@panix.com>
Message-ID: <b76252690509121248ee54523@mail.gmail.com>

On 9/12/05, Daniel Convissor <danielc at analysisandsolutions.com> wrote:
> Hi Billy:
> 
> On Mon, Sep 12, 2005 at 02:36:19PM -0400, Billy Reisinger wrote:
> > In fact, the attacker can stop a mail message in the
> > middle of the message body and begin an entirely new message!  For a
> > more thorough (and cogent) explanation of this vulnerability, head on
> > over to http://securephp.damonkohler.com/index.php/Email_Injection .
> 
> Huh?!  Insert headers in the middle of the message body?!  That doesn't
> make sense to me.  I believe you're misinterpreting the article you
> mention.  Perhaps I misunderstand things, but the way I see it, I can
> write "Content-Type: <whatever>" in the middle of message until my fingers
> fall off and it won't have any impact.  The problem is inserting that into
> the headers.
> 

The article is dangerously ambiguous on this point, but I think you're
right on here, Dan. In order to insert new MIME parts into the message
body, you need to be able to set the boundary marker in the headers.

So the message body itself is safe, provided your headers are properly
sanitized.


From mail at billyreisinger.com  Mon Sep 12 15:52:48 2005
From: mail at billyreisinger.com (Billy Reisinger)
Date: Mon, 12 Sep 2005 15:52:48 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <20050912190808.GA21414@panix.com>
References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>	<43259BC2.4050604@omnistep.com>
	<20050912162018.GA22938@panix.com>	<6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net>	<20050912183529.GA1332@panix.com>	<4325CB1F.20602@billyreisinger.com>	<0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>	<43248C2F.8030006@omnistep.com>	<Pine.BSF.4.58.0509111619520.17701@emra.pair.com>	<4325CAA3.4000304@billyreisinger.com>
	<20050912190808.GA21414@panix.com>
Message-ID: <4325DC90.1000607@billyreisinger.com>

Daniel Convissor wrote:

>Huh?!  Insert headers in the middle of the message body?!  That doesn't 
>make sense to me.  I believe you're misinterpreting the article you 
>mention.  Perhaps I misunderstand things, but the way I see it, I can 
>write "Content-Type: <whatever>" in the middle of message until my fingers 
>fall off and it won't have any impact.  The problem is inserting that into 
>the headers.
>  
>
I know, it's weird; unfortunately, it's true.  There's a specific little 
hack of the Content-type header that lets the hacker do a multi-part 
message.  If you scroll down to about the bottom of the article I 
mentioned, it goes over it in detail.  Again, kind of a brainteaser of a 
hack, so it's worth sitting down and reading in detail.

>
>My (buggy, someone please fix it, I'm short on time now) pseudo-code 
>clears invalid characters from the subject and name plus if the email 
>address is bogus, halts execution.
>
>--Dan
>
Got it.  I misread your previous post!
Cheers,
Billy Reisinger


From greg.rundlett at gmail.com  Mon Sep 12 16:54:51 2005
From: greg.rundlett at gmail.com (Greg Rundlett)
Date: Mon, 12 Sep 2005 16:54:51 -0400
Subject: [nycphp-talk] PHPWiki
In-Reply-To: <c5949a3805091209294d469905@mail.gmail.com>
References: <43242A1B.4050102@magpie.com>
	<b762526905091205044def6d8a@mail.gmail.com>
	<c5949a3805091209294d469905@mail.gmail.com>
Message-ID: <5e2aaca4050912135473ae1658@mail.gmail.com>

On 9/12/05, edward potter <edwardpotter at gmail.com> wrote:

> 
> I was wondering if anyone has come across a good Programmers Guide to 
> MediaWiki, yes i've googled it, have some links, but still kinda of piece 
> meal.


I used to follow the (mediawiki) developers list daily. One thing I can tell 
you is that the project lead Brion Vibber is amazing at how many questions 
he fields individually. If no other documentation exists, then you need to 
search the list archives and will invariably come up with the information 
you seek. If the question has never been asked, then I'm sure that Brion, or 
another dev would answer.

All of that being said, one of my pet peeves is that the OpenSource world in 
general does a great job of producing code, but is all-to-often lacking in 
architectural and other types of documentation for both developers and users 
alike--even when projects take up the task of producing it. It's still a 
very uphill battle for lots of valid reasons (constant maintenance, 
volunteer effort).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050912/47cb1d32/attachment.html>

From danielc at analysisandsolutions.com  Mon Sep 12 18:07:05 2005
From: danielc at analysisandsolutions.com (Daniel Convissor)
Date: Mon, 12 Sep 2005 18:07:05 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <4325DC90.1000607@billyreisinger.com>
References: <20050912162018.GA22938@panix.com>
	<6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net>
	<20050912183529.GA1332@panix.com>
	<4325CB1F.20602@billyreisinger.com>
	<0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>
	<43248C2F.8030006@omnistep.com>
	<Pine.BSF.4.58.0509111619520.17701@emra.pair.com>
	<4325CAA3.4000304@billyreisinger.com>
	<20050912190808.GA21414@panix.com>
	<4325DC90.1000607@billyreisinger.com>
Message-ID: <20050912220705.GA18012@panix.com>

Hi Billy:

> I know, it's weird; unfortunately, it's true.  There's a specific little 
> hack of the Content-type header that lets the hacker do a multi-part 
> message.  If you scroll down to about the bottom of the article I 
> mentioned, it goes over it in detail.

You seem to be misinterpreting the article.  The crack only works if they 
can get the "Content-Type: multipart/mixed;" into the _header_, at the 
beginning of a new line.

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409


From mjdewitt at alexcommgrp.com  Mon Sep 12 18:15:22 2005
From: mjdewitt at alexcommgrp.com (DeWitt, Michael)
Date: Mon, 12 Sep 2005 18:15:22 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
Message-ID: <BCF799A6B63DD411985D00805F9F9033011FF90F@mail.alexcommgrp.com>



> -----Original Message-----
> From:	csnyder [SMTP:chsnyder at gmail.com]
> Sent:	Monday, September 12, 2005 3:49 PM
> To:	NYPHP Talk
> Subject:	Re: [nycphp-talk] worm/virus's hammering feedback scripts?
> 
> On 9/12/05, Daniel Convissor <danielc at analysisandsolutions.com> wrote:
> > Hi Billy:
> > 
> > On Mon, Sep 12, 2005 at 02:36:19PM -0400, Billy Reisinger wrote:
> > > In fact, the attacker can stop a mail message in the
> > > middle of the message body and begin an entirely new message!  For a
> > > more thorough (and cogent) explanation of this vulnerability, head on
> > > over to http://securephp.damonkohler.com/index.php/Email_Injection .
> > 
> > Huh?!  Insert headers in the middle of the message body?!  That doesn't
> > make sense to me.  I believe you're misinterpreting the article you
> > mention.  Perhaps I misunderstand things, but the way I see it, I can
> > write "Content-Type: <whatever>" in the middle of message until my
> fingers
> > fall off and it won't have any impact.  The problem is inserting that
> into
> > the headers.
> > 
> 
> The article is dangerously ambiguous on this point, but I think you're
> right on here, Dan. In order to insert new MIME parts into the message
> body, you need to be able to set the boundary marker in the headers.
> 
> So the message body itself is safe, provided your headers are properly
> sanitized.
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org


From ps at pswebcode.com  Mon Sep 12 18:22:20 2005
From: ps at pswebcode.com (Peter Sawczynec)
Date: Mon, 12 Sep 2005 18:22:20 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <BCF799A6B63DD411985D00805F9F9033011FF90F@mail.alexcommgrp.com>
Message-ID: <013401c5b7e8$70eea1b0$6400a8c0@PeterStorm>

What if unsanitized data including javascripting is inadvertently left
in the message body and the web site process goes on to show an HTML
page recap and confirmation back to the user, couldn't this pose an
issue regarding what is in the email body?

Peter

-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of DeWitt, Michael
Sent: Monday, September 12, 2005 6:15 PM
To: 'NYPHP Talk'
Subject: Re: [nycphp-talk] worm/virus's hammering feedback scripts?




> -----Original Message-----
> From:	csnyder [SMTP:chsnyder at gmail.com]
> Sent:	Monday, September 12, 2005 3:49 PM
> To:	NYPHP Talk
> Subject:	Re: [nycphp-talk] worm/virus's hammering feedback
scripts?
> 
> On 9/12/05, Daniel Convissor <danielc at analysisandsolutions.com> wrote:
> > Hi Billy:
> > 
> > On Mon, Sep 12, 2005 at 02:36:19PM -0400, Billy Reisinger wrote:
> > > In fact, the attacker can stop a mail message in the middle of the

> > > message body and begin an entirely new message!  For a more 
> > > thorough (and cogent) explanation of this vulnerability, head on 
> > > over to http://securephp.damonkohler.com/index.php/Email_Injection

> > > .
> > 
> > Huh?!  Insert headers in the middle of the message body?!  That 
> > doesn't make sense to me.  I believe you're misinterpreting the 
> > article you mention.  Perhaps I misunderstand things, but the way I 
> > see it, I can write "Content-Type: <whatever>" in the middle of 
> > message until my
> fingers
> > fall off and it won't have any impact.  The problem is inserting 
> > that
> into
> > the headers.
> > 
> 
> The article is dangerously ambiguous on this point, but I think you're

> right on here, Dan. In order to insert new MIME parts into the message

> body, you need to be able to set the boundary marker in the headers.
> 
> So the message body itself is safe, provided your headers are properly

> sanitized. _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org




From prusak at gmail.com  Mon Sep 12 21:55:40 2005
From: prusak at gmail.com (Ophir Prusak)
Date: Mon, 12 Sep 2005 21:55:40 -0400
Subject: [nycphp-talk] PHP on Windows + MS SQL Server
In-Reply-To: <20050910144208.GB21130@panix.com>
References: <f1dc81bb050909142017f298db@mail.gmail.com>
	<20050910144208.GB21130@panix.com>
Message-ID: <f1dc81bb05091218552c98d638@mail.gmail.com>

thanks all for the replies.

ophir

On 9/10/05, Daniel Convissor <danielc at analysisandsolutions.com> wrote:
> Hey Ophir:
> 
> On Fri, Sep 09, 2005 at 05:20:33PM -0400, Ophir Prusak wrote:
> >
> > I'm working at a windows shop where all of the data is on MS SQL server 2000
> > (using .asp and .aspx - .net)
> >
> > We're at the point where we're looking into adding PHP into the mix.
> 
> PEAR DB works just dandy with MSSQL.  Even if you don't want to use the
> package, you may gain some insights from the source code.
> 
> --Dan
> 
> --
>  T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
>            data intensive web and database programming
>                http://www.AnalysisAndSolutions.com/
>  4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
>


From mail at billyreisinger.com  Mon Sep 12 22:22:38 2005
From: mail at billyreisinger.com (Billy Reisinger)
Date: Mon, 12 Sep 2005 22:22:38 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <20050912220705.GA18012@panix.com>
References: <20050912162018.GA22938@panix.com>
	<6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net>
	<20050912183529.GA1332@panix.com>
	<4325CB1F.20602@billyreisinger.com>
	<0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>
	<43248C2F.8030006@omnistep.com>
	<Pine.BSF.4.58.0509111619520.17701@emra.pair.com>
	<4325CAA3.4000304@billyreisinger.com>
	<20050912190808.GA21414@panix.com>
	<4325DC90.1000607@billyreisinger.com>
	<20050912220705.GA18012@panix.com>
Message-ID: <B50516FC-60E8-4AB6-8D93-B3A7258C9B2C@billyreisinger.com>

Dan -
Apologies if I am being vague.  Yes, the person has to get the hack  
into the Content-type: header, but if this _is_ accomplished, the  
attacker can append characters or data to the message body, from what  
I understand.  We're splitting hairs, here.
Cheers,
Billy

On Sep 12, 2005, at 6:07 PM, Daniel Convissor wrote:

> Hi Billy:
>
>
>> I know, it's weird; unfortunately, it's true.  There's a specific  
>> little
>> hack of the Content-type header that lets the hacker do a multi-part
>> message.  If you scroll down to about the bottom of the article I
>> mentioned, it goes over it in detail.
>>
>
> You seem to be misinterpreting the article.  The crack only works  
> if they
> can get the "Content-Type: multipart/mixed;" into the _header_, at the
> beginning of a new line.
>
> --Dan
>
> -- 
>  T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
>             data intensive web and database programming
>                 http://www.AnalysisAndSolutions.com/
>  4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
>
>
>



From lists at zaunere.com  Mon Sep 12 23:08:08 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Mon, 12 Sep 2005 23:08:08 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts? POLISHED
	VERSION
In-Reply-To: <6.2.3.4.2.20050912120926.0244d060@mail.optonline.net>
Message-ID: <0MKp2t-1EF19U2ulD-000801@mrelay.perfora.net>


I'm preparing to make the posting, but want to double check something.
Please see below.

Michael Southwell scribbled on Monday, September 12, 2005 12:15 PM:
> I polished this up a bit.
> 
> IMPORTANT:  Ken's original function did not work in my testing,
> because (1) the \ in \r and \n needed to be escaped, and (2) he had
> the letter O instead of the numeral 0 in the hex numbers.  Somebody
> smarter than I am, please check carefully the modified version
> included below. ===========================
> 
> Problem:
> Bot-net scanning to locate php scripts which are vulnerable to a email
> header injection exploit. All PHP scripts which send email based on
> input data are vulnerable.
> 
> Discussion:
> A large scale distributed network of machines is currently being
> employed to scan php-based websites in search of scripts which are

Is this exploit PHP specific?  Although I haven't confirmed, the nature of
the vulnerability would appear to effect any mailing web form, in nearly any
language.  Can anyone provide additional details?


---
Hans Zaunere / President / New York PHP
   www.nyphp.org  /  www.nyphp.com




From kenrbnsn at rbnsn.com  Mon Sep 12 23:20:42 2005
From: kenrbnsn at rbnsn.com (Ken Robinson)
Date: Mon, 12 Sep 2005 23:20:42 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts? POLISHED
 VERSION
In-Reply-To: <6.2.3.4.2.20050912120926.0244d060@mail.optonline.net>
References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>
	<43259BC2.4050604@omnistep.com>
	<6.2.3.4.2.20050912120926.0244d060@mail.optonline.net>
Message-ID: <6.2.5.4.2.20050912231541.06c89ca8@rbnsn.com>

At 12:15 PM 9/12/2005, Michael Southwell wrote:
>I polished this up a bit.
>
>IMPORTANT:  Ken's original function did not work in my testing,
>because (1) the \ in \r and \n needed to be escaped, and (2) he had
>the letter O instead of the numeral 0 in the hex numbers.  Somebody
>smarter than I am, please check carefully the modified version included below.

I'm curious as to why you think that the \ in \r and \n need to be 
escaped? I am really searching for and removing "\n" and "\r" 
characters in the string. In my tests this has worked and prevented 
the spam tests from getting out. The spambots are still hitting the 
one site I've made the modifications on. Their not hitting any of my 
other sites (yet) and I have been working on getting the fix into them.

BTW, I've noticed that they putting their malicious code in any 
and/or all of the posted variables including "submit".

Another attempt I've seen was where the referer was a file I don't 
have. That one was easy to stop.

Ken Robinson 



From krook at us.ibm.com  Mon Sep 12 23:43:01 2005
From: krook at us.ibm.com (Daniel Krook)
Date: Mon, 12 Sep 2005 23:43:01 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
	POLISHED	VERSION
In-Reply-To: <0MKp2t-1EF19U2ulD-000801@mrelay.perfora.net>
Message-ID: <OF00101133.FE4DE49A-ON8525707B.0014407F-8525707B.001465D7@us.ibm.com>

> Is this exploit PHP specific?  Although I haven't 
> confirmed, the nature of
> the vulnerability would appear to effect any mailing web 
> form, in nearly any
> language.  Can anyone provide additional details?


Hmm,

An interesting question...

>From my experience developing feedback forms in Java using the JavaMail 
API, the "to" or "from" email addresses are of the type 
javax.mail.internet.InternetAddress, which takes a String in its 
constructor and throws an exception (javax.mail.internet.AddressException) 
if the address can not be parsed in RFC822 format (the default):

http://java.sun.com/products/javamail/javadocs/javax/mail/internet/InternetAddress.html#InternetAddress(java.lang.String)

These InternetAddress objects are normally given to an instance of type 
javax.mail.internet.MimeMessage which is itself given an instance of 
javax.mail.Session.   You often set MimeMessage's recipients with methods 
which take InternetAddresses, but can also take raw Strings.

The setSubject method of MimeMessage takes Strings, and it explicitly 
notes in the Javadoc that "The application must ensure that the subject 
does not contain any line breaks", which seems to suggest that it is also 
known to be vulnerable to an exploit of this nature.

http://java.sun.com/products/javamail/javadocs/javax/mail/internet/MimeMessage.html#setSubject(java.lang.String)

So it would seem if you ventured past the parts of the JavaMail API which 
allow you to use Strings, instead of creating InternetAddress objects and 
hardcoding the subject, you would be "safe" from the exploit, but you 
should double check any methods that you are using that expect Strings.





Daniel Krook, Advisory IT Specialist 
Application Development, Production Services - Tools, ibm.com

Personal: http://info.krook.org/
BluePages: http://bluepages.redirect.webahead.ibm.com/
BlogPages: http://blogpages.redirect.webahead.ibm.com/




From krook at us.ibm.com  Mon Sep 12 23:55:27 2005
From: krook at us.ibm.com (Daniel Krook)
Date: Mon, 12 Sep 2005 23:55:27 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback
	scripts?	POLISHED	VERSION
In-Reply-To: <OF00101133.FE4DE49A-ON8525707B.0014407F-8525707B.001465D7@us.ibm.com>
Message-ID: <OFFF4980ED.2BB358BF-ON8525707B.00150D08-8525707B.00158979@us.ibm.com>

Sorry,

This:

> So it would seem if you ventured past the parts of the 
> JavaMail API which 
> allow you to use Strings, instead of creating 
> InternetAddress objects and 
> hardcoding the subject, you would be "safe" from the 
> exploit, but you 
> should double check any methods that you are using that 
> expect Strings.

should read: 

So it would seem if you did *not* venture into the parts of the JavaMail 
API which allow you to use Strings, instead of creating InternetAddress 
objects and hardcoding the subject, you would be "safe" from the exploit. 
Otherwise, you should double check any methods that you are using that 
expect Strings.




Daniel Krook, Advisory IT Specialist 
Application Development, Production Services - Tools, ibm.com

Personal: http://info.krook.org/
BluePages: http://bluepages.redirect.webahead.ibm.com/
BlogPages: http://blogpages.redirect.webahead.ibm.com/




From arzala at gmail.com  Tue Sep 13 01:02:42 2005
From: arzala at gmail.com (Anirudh Zala (Gmail))
Date: Tue, 13 Sep 2005 10:32:42 +0530
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
Message-ID: <43265D72.2080007@gmail.com>



-------- Original Message --------
Subject: Re: [nycphp-talk] worm/virus's hammering feedback scripts?
Date: Tue, 13 Sep 2005 09:27:53 +0530
From: Anirudh Zala (Gmail) <anirudh at gmail.com>
To: NYPHP Talk <talk at lists.nyphp.org>
References: <0MKp2t-1EEVZL04AF-0004KA at mrelay.perfora.net> 
<43248C2F.8030006 at omnistep.com> <4324FB52.5010806 at omnistep.com>

Rolan Yang wrote:

>One more hint to all:
>
> If you are hosting php scripts for other people, or simply have too 
>many to comb through on your own server(s), grep your mail server log 
>for "jrubin3546 at aol.com".  If you see any results, cross reference that 
>time with your web logs to locate the exploitable script.
>
>~Rolan
>_______________________________________________
>New York PHP Talk Mailing List
>AMP Technology
>Supporting Apache, MySQL and PHP
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.nyphp.org
>
>  
>
We had same problem. But we had enough protection in our scripts against
such exploitation. Ideally tracking any email address like Rolan asked
might not be useful as Spammers often changes it time by time. Moreover
when your hosting company is big or you have many websites running on
your server then you can't monitor everything. Simplest solution to
protect your scripts against such misuse is to use JS validation of your
form fields, PHP validation using regexp function, Use of php functions
like "htmlspecialchars, strip tags and  stripslashes", and to use $_GET
and $_POST super global instead of normal PHP style variables while
using form variables. This implementation, according to me, gives you
90% protection against such exploitation.

Below is snapshot of Error generated by one of our website. Please see
that variables have been shown associateve arrays.

===============================================================

Date and Time                : 13-9-2005 00:00
Url                          : www.hameenautocenter.fi
File path                    : /web/www.SOMETHING.com/..........
Logged in user/dealer        :  ()
User's IP                    : 216.194.16.226
Port                         : 1423
Request method               : POST
Query string                 :
HTTP referer                 : http://www.hameenautocenter.fi/
DB server                    :

Message between lines ---- shows real error string returnd by MySQL / 
class.rFastTemplate.php:

--------------------------------------------------------------------------------------------------
load(2/22892.ihtml) failure:
--------------------------------------------------------------------------------------------------

# Posted variables were:

`thimg439051`=>`bgokwdpda at hameenautocenter.fi`
`thimg289279`=>`bgokwdpda at hameenautocenter.fi`
`thimg298836`=>`bgokwdpda at hameenautocenter.fi`
`thimg434535`=>`bgokwdpda at hameenautocenter.fi`
`thimg237515`=>`bgokwdpda at hameenautocenter.fi`
`thimg336168`=>`bgokwdpda at hameenautocenter.fi`
`thimg434511`=>`bgokwdpda at hameenautocenter.fi`
`thimg439032`=>`bgokwdpda at hameenautocenter.fi`
`thimg434437`=>`bgokwdpda at hameenautocenter.fi`
`thimg257545`=>`bgokwdpda at hameenautocenter.fi`
`thimg431994`=>`bgokwdpda at hameenautocenter.fi`
`thimg314051`=>`bgokwdpda at hameenautocenter.fi`
`thimg211000`=>`bgokwdpda at hameenautocenter.fi`
`thimg281279`=>`bgokwdpda at hameenautocenter.fi`
`thimg430744`=>`bgokwdpda at hameenautocenter.fi`
`thimg432028`=>`bgokwdpda at hameenautocenter.fi
Content-Type: multipart/mixed; boundary="===============0394946924=="
MIME-Version: 1.0
Subject: e2fd8ef6
To: bgokwdpda at hameenautocenter.fi
bcc: jrubin3546 at aol.com
From: bgokwdpda at hameenautocenter.fi

This is a multi-part message in MIME format.

--===============0394946924==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

nlh
--===============0394946924==--
`
`thimg177404`=>`bgokwdpda at hameenautocenter.fi`
`thimg430719`=>`bgokwdpda at hameenautocenter.fi`
`thimg430708`=>`bgokwdpda at hameenautocenter.fi`
`thimg272427`=>`bgokwdpda at hameenautocenter.fi`
`thimg364967`=>`bgokwdpda at hameenautocenter.fi`
`thimg364964`=>`bgokwdpda at hameenautocenter.fi`
`thimg236039`=>`bgokwdpda at hameenautocenter.fi`
`thimg298846`=>`bgokwdpda at hameenautocenter.fi`
`thimg439004`=>`bgokwdpda at hameenautocenter.fi`
`thimg434460`=>`bgokwdpda at hameenautocenter.fi`
`thimg281337`=>`bgokwdpda at hameenautocenter.fi`
`thimg430694`=>`bgokwdpda at hameenautocenter.fi`
`thimg430752`=>`bgokwdpda at hameenautocenter.fi`
`thimg432070`=>`bgokwdpda at hameenautocenter.fi`
`thimg432055`=>`bgokwdpda at hameenautocenter.fi`
`thimg432036`=>`bgokwdpda at hameenautocenter.fi`
`thimg268068`=>`bgokwdpda at hameenautocenter.fi`

===============================================================

Thanks

Anirudh Zala



From yournway at gmail.com  Tue Sep 13 04:17:15 2005
From: yournway at gmail.com (Alberto dos Santos)
Date: Tue, 13 Sep 2005 09:17:15 +0100
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <43265D72.2080007@gmail.com>
References: <43265D72.2080007@gmail.com>
Message-ID: <edce576505091301173df93e4@mail.gmail.com>

Hans, and others:

This thread has been one of the most enlightenling I've ever read on this 
lists imho, of course.

Can you gurus please sum up all of these bright conclusions and add to
the Storing
Data Submitted From a Form and Displaying Data from a
Database<http://www.nyphp.org/phundamentals/storingretrieving.php>PHundamental?
Or is this article already covering these issues with the
scripts that feature in it?

Thank you all.

-- 
Alberto dos Santos
Consultor em TI
IT Consultant

http://www.yournway.com
A internet para o cidad?o comum.
The Internet for the common citizen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050913/5cc3239e/attachment.html>

From danielc at analysisandsolutions.com  Tue Sep 13 07:51:05 2005
From: danielc at analysisandsolutions.com (Daniel Convissor)
Date: Tue, 13 Sep 2005 07:51:05 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?
In-Reply-To: <B50516FC-60E8-4AB6-8D93-B3A7258C9B2C@billyreisinger.com>
References: <20050912183529.GA1332@panix.com>
	<4325CB1F.20602@billyreisinger.com>
	<0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>
	<43248C2F.8030006@omnistep.com>
	<Pine.BSF.4.58.0509111619520.17701@emra.pair.com>
	<4325CAA3.4000304@billyreisinger.com>
	<20050912190808.GA21414@panix.com>
	<4325DC90.1000607@billyreisinger.com>
	<20050912220705.GA18012@panix.com>
	<B50516FC-60E8-4AB6-8D93-B3A7258C9B2C@billyreisinger.com>
Message-ID: <20050913115105.GA23908@panix.com>

Hi Billy:

On Mon, Sep 12, 2005 at 10:22:38PM -0400, Billy Reisinger wrote:

> Yes, the person has to get the hack  
> into the Content-type: header, but if this _is_ accomplished, the  
> attacker can append characters or data to the message body, from what  
> I understand.  We're splitting hairs, here.

No, we're not.  You said the user input for the body can't have 
"content-type" in it, which is false.

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409


From mikko.rantalainen at peda.net  Tue Sep 13 10:19:18 2005
From: mikko.rantalainen at peda.net (Mikko Rantalainen)
Date: Tue, 13 Sep 2005 17:19:18 +0300
Subject: [nycphp-talk] Filtering input to be appended inside email
In-Reply-To: <20050912183529.GA1332@panix.com>
References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>	<OF5DF984F9.3FB9FD24-ON8525707A.0049C9FA-8525707A.004A5324@us.ibm.com>	<0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>	<43259BC2.4050604@omnistep.com>
	<20050912162018.GA22938@panix.com>	<6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net>
	<20050912183529.GA1332@panix.com>
Message-ID: <4326DFE6.6@peda.net>

Daniel Convissor wrote:
> Hi Michael:
> On Mon, Sep 12, 2005 at 12:41:12PM -0400, Michael Southwell wrote:
>>
>>The point is simply to identify which scripts have sent emails to the 
>>known-bad addresses; those are the vulnerable ones.
> 
> I'm afraid that will lead people into both a false sense of security and 
> using email address blacklists.  Folks should audit their email scripts, 
> period.

I agree. Broken code is broken code. If you aren't sure if your 
email script works correctly, take it offline immediately.

>>There were other problems as well, which I noted in my polished 
>>version.  We need an officially sanctioned version of the function 
>>before we can post anything.
> 
> Agreed.  Here's what I think is a good starting point for discussion...
> 
> <?php
> // untested!!!!
> // MUST do is_set() checks on all of these for first!
> // left out for brevity.
> 
> if (eregi('^[a-z0-9_.=+-]+@([a-z0-9-]+\.)+([a-z]{2,6})$', $_POST['address'])) {
>     $address = $_POST['address'];
> } else {
>     echo 'bad email';
>     exit;

That looks pretty simple but it doesn't allow even nearly all valid 
email addresses.

I'd rather create two functions like

/**
	takes string $input_email and returns RFC 2822 section 3.4
	compatible address or empty string if input cannot be
	handled.
	http://rfc.net/rfc2822.html#s3.4.
*/
function getSafeEmail($input_email) { ... return $safe_email; }

and

/**
	takes string $input_header and encodes it as a single header
	to be used for mailing.
	http://rfc.net/rfc2822.html#s2.2.3.
*/
function getSafeHeader($input_header) { ... return $safe_header; }

and I'd put all input through these functions. Like $from = 
$_POST["FROM"] or so.

**

Of these, the first one is much harder to implement correctly. A 
simple implementation could only accept limited addr-spec format of 
syntax
	dot-atom "@" dot-atom
where the dot-atom is defined at http://rfc.net/rfc2822.html#s3.2.4. 
Note that this is much simpler than full address spec defined in 
http://rfc.net/rfc2822.html#s3.4.

Note that this "simple" format wouldn't allow all valid email 
addresses but at least it would allow stuff like
mikko.rantalainen+nyphp at peda.net
unlike many complex regexes that are meant to filter email addresses.

A simple, untested implementation would look like

function getSafeEmail($input_email)
{
	# http://rfc.net/rfc2822.html#s3.2.4.
	$dot_atom = "^a-z0-9!#\$%&'*/=?_`{|}~+-";
	# filter extra characters off
	$safe_email = preg_replace("@[^{$dot_atom}]@gi","",$input_email);

	if 
(preg_match("@[{$dot_atom}](\.[{$dot_atom}])*\@[{$dot_atom}](\.[{$dot_atom}])+ at i",$safe_email))
		return $safe_email;
	else
		return ""; # error
}


For the second function we have two possible ways to make sure that 
$input_header indeed contains exactly one valid header; either 
remove all line feeds from the input or append a space after every 
line feed which makes whole input a single header wrapped to 
multiple lines (http://rfc.net/rfc2822.html#s2.2.3.). I'll choose 
the latter method for this implementation. Again, this is untested.

function getSafeHeader($input_header)
{
	# split as defined in http://rfc.net/rfc2822.html#s2.2.
	list($name,$value) = explode(":",$input_header,2);

	# verify header name
	if (!preg_match("@^[".chr(33)."-".chr(126)."]+$@",$name))
		return "";

	# header cannot contain CRLF
	# our implementation strips out CRs, make sure all LFs
	# are safe and reinserts CRs
	$value = preg_replace("@\r@","",trim($value));
	$value = preg_replace("@\n@","\n ",$value);
	$value = preg_replace("@\n@","\r\n",$value);
	
	$safe_header = $name.": ".$value."\r\n";
	return $safe_header;
}

Body doesn't need to be handled unless you use HTML mail (shame on 
you), in which case all XSS issues are there waiting.

-- 
Mikko


From michael.southwell at nyphp.org  Tue Sep 13 10:31:03 2005
From: michael.southwell at nyphp.org (Michael Southwell)
Date: Tue, 13 Sep 2005 10:31:03 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts? POLISHED
 VERSION
In-Reply-To: <6.2.5.4.2.20050912231541.06c89ca8@rbnsn.com>
References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>
	<43259BC2.4050604@omnistep.com>
	<6.2.3.4.2.20050912120926.0244d060@mail.optonline.net>
	<6.2.5.4.2.20050912231541.06c89ca8@rbnsn.com>
Message-ID: <6.2.3.4.2.20050913102132.0249ddc8@mail.optonline.net>

At 11:20 PM 9/12/2005, you wrote:
>I'm curious as to why you think that the \ in \r and \n need to be
>escaped? I am really searching for and removing "\n" and "\r"
>characters in the string. In my tests this has worked and prevented
>the spam tests from getting out.

It didn't work for me (on Windows):

<?php
$test = 'hello\rworld';
$unescaped = str_replace( "\r", " ", $test );
$escaped = str_replace( "\\r", " ", $test );
echo "unescaped is $unescaped, and escaped is $escaped";

returned

unescaped is hello\rworld, and escaped is hello world

The PHP Manual at http://php.net/types.string suggests that \r should 
work; all I can say is that it didn't for me.


Michael Southwell, Vice President for Education
New York PHP
http://www.nyphp.com/training - In-depth PHP Training Courses 



From chsnyder at gmail.com  Tue Sep 13 10:43:18 2005
From: chsnyder at gmail.com (csnyder)
Date: Tue, 13 Sep 2005 10:43:18 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts? POLISHED
	VERSION
In-Reply-To: <6.2.5.4.2.20050912231541.06c89ca8@rbnsn.com>
References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>
	<43259BC2.4050604@omnistep.com>
	<6.2.3.4.2.20050912120926.0244d060@mail.optonline.net>
	<6.2.5.4.2.20050912231541.06c89ca8@rbnsn.com>
Message-ID: <b762526905091307434bd252cb@mail.gmail.com>

On 9/12/05, Ken Robinson <kenrbnsn at rbnsn.com> wrote:
> At 12:15 PM 9/12/2005, Michael Southwell wrote:
> >I polished this up a bit.
> >
> >IMPORTANT:  Ken's original function did not work in my testing,
> >because (1) the \ in \r and \n needed to be escaped, and (2) he had
> >the letter O instead of the numeral 0 in the hex numbers.  Somebody
> >smarter than I am, please check carefully the modified version included below.
> 
> I'm curious as to why you think that the \ in \r and \n need to be
> escaped? I am really searching for and removing "\n" and "\r"
> characters in the string. In my tests this has worked and prevented
> the spam tests from getting out. The spambots are still hitting the
> one site I've made the modifications on. Their not hitting any of my
> other sites (yet) and I have been working on getting the fix into them.
> 
> BTW, I've noticed that they putting their malicious code in any
> and/or all of the posted variables including "submit".
> 
> Another attempt I've seen was where the referer was a file I don't
> have. That one was easy to stop.
> 


I'm curious as to why we wouldn't just bail out and refuse to send the
email at all if someone posted input with CR or LF in it?

Seems to me that if you have a form with <input type="text"
name="from" /> and you get a multiline $_POST['from'], then somebody
is trying to get away with something.

While not necessarily the case here, sometimes taking out something
bad will create a situation where you're left with something worse.
Sometimes it's better to be conservative and disallow input rather
than try to sanitize it.

-- 
Chris Snyder
http://chxo.com/


From rolan at omnistep.com  Tue Sep 13 10:57:33 2005
From: rolan at omnistep.com (Rolan Yang)
Date: Tue, 13 Sep 2005 10:57:33 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts? POLISHED
 VERSION
In-Reply-To: <b762526905091307434bd252cb@mail.gmail.com>
References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>	<43259BC2.4050604@omnistep.com>	<6.2.3.4.2.20050912120926.0244d060@mail.optonline.net>	<6.2.5.4.2.20050912231541.06c89ca8@rbnsn.com>
	<b762526905091307434bd252cb@mail.gmail.com>
Message-ID: <4326E8DD.1000401@omnistep.com>

csnyder wrote:

>I'm curious as to why we wouldn't just bail out and refuse to send the
>email at all if someone posted input with CR or LF in it?
>
>Seems to me that if you have a form with <input type="text"
>name="from" /> and you get a multiline $_POST['from'], then somebody
>is trying to get away with something.
>
>While not necessarily the case here, sometimes taking out something
>bad will create a situation where you're left with something worse.
>Sometimes it's better to be conservative and disallow input rather
>than try to sanitize it.
>  
>

I am in total agreement here. Even though the messages were no longer a 
threat, we were awfully tired of seeing the flood of incoming garbage. 
Preventing the offending message from being sent also saves a lot of 
wear and tear on the "Delete" button.

~Rolan


From danielc at analysisandsolutions.com  Tue Sep 13 10:58:31 2005
From: danielc at analysisandsolutions.com (Daniel Convissor)
Date: Tue, 13 Sep 2005 10:58:31 -0400
Subject: [nycphp-talk] Filtering input to be appended inside email
In-Reply-To: <4326DFE6.6@peda.net>
References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>
	<OF5DF984F9.3FB9FD24-ON8525707A.0049C9FA-8525707A.004A5324@us.ibm.com>
	<0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>
	<43259BC2.4050604@omnistep.com> <20050912162018.GA22938@panix.com>
	<6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net>
	<20050912183529.GA1332@panix.com> <4326DFE6.6@peda.net>
Message-ID: <20050913145831.GA14467@panix.com>

Hey Mikko:

On Tue, Sep 13, 2005 at 05:19:18PM +0300, Mikko Rantalainen wrote:
> 
> That looks pretty simple but it doesn't allow even nearly all valid 
> email addresses.

I know.  Particularly internationl domain names. :)


> 	# header cannot contain CRLF
> 	# our implementation strips out CRs, make sure all LFs
> 	# are safe and reinserts CRs
> 	$value = preg_replace("@\r@","",trim($value));
> 	$value = preg_replace("@\n@","\n ",$value);
> 	$value = preg_replace("@\n@","\r\n",$value);

That can be done in one call (untested):
    $value = preg_replace("/[\r\n]+/", "\r\n ", trim($value));

I see the point of this is putting a space at the beginning of the line so 
the input doesn't get interpreted as a new header line.  But in my 
opinion, when user input is involved, allowing \r or \n isn't wise in the 
first place.


> Body doesn't need to be handled unless you use HTML mail (shame on 
> you), in which case all XSS issues are there waiting.

But some (many?) email clients are F'ing stupid.

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409


From mikko.rantalainen at peda.net  Tue Sep 13 11:11:13 2005
From: mikko.rantalainen at peda.net (Mikko Rantalainen)
Date: Tue, 13 Sep 2005 18:11:13 +0300
Subject: [nycphp-talk] Filtering input to be appended inside email
In-Reply-To: <20050913145831.GA14467@panix.com>
References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>	<OF5DF984F9.3FB9FD24-ON8525707A.0049C9FA-8525707A.004A5324@us.ibm.com>	<0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>	<43259BC2.4050604@omnistep.com>
	<20050912162018.GA22938@panix.com>	<6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net>	<20050912183529.GA1332@panix.com>
	<4326DFE6.6@peda.net> <20050913145831.GA14467@panix.com>
Message-ID: <4326EC11.2080708@peda.net>

Daniel Convissor wrote:
> Mikko wrote:
>>Body doesn't need to be handled unless you use HTML mail (shame on 
>>you), in which case all XSS issues are there waiting.
> 
> But some (many?) email clients are F'ing stupid.

Yes, but my point was that unless you're sending HTML mail from your 
server, there's no need to filter body. Or at least I'm not aware of 
any exploitable MUA when the input type is text/plain.

-- 
Mikko


From suzerain at suzerain.com  Tue Sep 13 15:23:20 2005
From: suzerain at suzerain.com (Marc Antony Vose)
Date: Tue, 13 Sep 2005 15:23:20 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts? POLISHED
 VERSION
In-Reply-To: <b762526905091307434bd252cb@mail.gmail.com>
References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>
	<43259BC2.4050604@omnistep.com>
	<6.2.3.4.2.20050912120926.0244d060@mail.optonline.net>
	<6.2.5.4.2.20050912231541.06c89ca8@rbnsn.com>
	<b762526905091307434bd252cb@mail.gmail.com>
Message-ID: <p06230922bf4cd7030c4d@[192.168.1.44]>

At 10:43 AM -0400 9/13/05, csnyder wrote:
>
>
>I'm curious as to why we wouldn't just bail out and refuse to send the
>email at all if someone posted input with CR or LF in it?
>
>Seems to me that if you have a form with <input type="text"
>name="from" /> and you get a multiline $_POST['from'], then somebody
>is trying to get away with something.
>


At first this was freaking me out, too, but I just wanted to chime in 
and say this is my preferred solution to this problem as well.

I think if you receive any input that looks fishy (by whatever test 
you choose...multiline 'from' lines seem like a good place to start), 
you should just not send the email, and show your users "Sorry, try 
again" or something.

Cheers,

-- 
Marc Antony Vose
http://www.suzerain.com/

Poetry atrophies when it gets too far from music.
-- Ezra Pound


From orgcomp at yahoo.com  Tue Sep 13 17:16:52 2005
From: orgcomp at yahoo.com (m o)
Date: Tue, 13 Sep 2005 14:16:52 -0700 (PDT)
Subject: [nycphp-talk] shtml
Message-ID: <20050913211652.28184.qmail@web36212.mail.mud.yahoo.com>

I working on a migration of a data base from linux to
windows. to track clients needs for the Salvation
Army.
I'm have one big problem with the shtml playing right.
I have PHP 4.3.2 running on windows with apache 2.0.54
and postgresql 8.0.
Why I write you is maybe you would know how to make
shtml
a stream on PHP. Ive had a hard time trying to get
shtml to play nice.
What INI need to be changed to make it work.. I can
send copy of the ini if
needed.


		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com


From chsnyder at gmail.com  Tue Sep 13 18:42:15 2005
From: chsnyder at gmail.com (csnyder)
Date: Tue, 13 Sep 2005 18:42:15 -0400
Subject: [nycphp-talk] shtml
In-Reply-To: <20050913211652.28184.qmail@web36212.mail.mud.yahoo.com>
References: <20050913211652.28184.qmail@web36212.mail.mud.yahoo.com>
Message-ID: <b76252690509131542442b289e@mail.gmail.com>

On 9/13/05, m o <orgcomp at yahoo.com> wrote:
> I working on a migration of a data base from linux to
> windows. to track clients needs for the Salvation
> Army.
> I'm have one big problem with the shtml playing right.
> I have PHP 4.3.2 running on windows with apache 2.0.54
> and postgresql 8.0.
> Why I write you is maybe you would know how to make
> shtml
> a stream on PHP. Ive had a hard time trying to get
> shtml to play nice.
> What INI need to be changed to make it work.. I can
> send copy of the ini if
> needed.

Make shtml a stream in PHP... can you give us a better description of
what you're trying to do?

If you're talking about server-side includes, then the answer is that
(generally speaking), you can use Apache includes, or PHP, but not
both together in the same request. Or at least, you couldn't back in
the day...

There may be some way to use filters in Apache2 that would allow the
server to execute a document as PHP code first, and then act on
server-side include directives in the resulting output... does that
sound like what you want? It might make a big difference whether the
PHP is in the requested document, or in the include, or both.


-- 
Chris Snyder
http://chxo.com/


From hendler at simmons.edu  Tue Sep 13 19:11:19 2005
From: hendler at simmons.edu (Jonathan)
Date: Tue, 13 Sep 2005 19:11:19 -0400
Subject: [nycphp-talk] Zend certification
In-Reply-To: <b76252690509131542442b289e@mail.gmail.com>
References: <20050913211652.28184.qmail@web36212.mail.mud.yahoo.com>
	<b76252690509131542442b289e@mail.gmail.com>
Message-ID: <43275C97.6020909@simmons.edu>

Hi all,

After 5 years of using PHP I took the Zend certification exam and passed.
Like the last sentence, it was a little anti-climactic.
I don't know my score and would like to - I think.
Over all I thought the test was fine for a low to mid level cert - but 
it wasn't enterprise level and somewhat jokingly I'd say it didn't make 
me feel like the as-advertised engineer.
I don't want to sound too critical - overall, I am glad to see a 
certification program exists and it's not a bad start.
I would think to be a zend engineer there is a whole other tier of 
applications, external libraries, and PHP 5 items that would be great 
for the next level certification.

- Jonathan Hendler



From codebowl at gmail.com  Tue Sep 13 20:17:01 2005
From: codebowl at gmail.com (Joseph Crawford)
Date: Tue, 13 Sep 2005 20:17:01 -0400
Subject: [nycphp-talk] Zend certification
In-Reply-To: <43275C97.6020909@simmons.edu>
References: <20050913211652.28184.qmail@web36212.mail.mud.yahoo.com>
	<b76252690509131542442b289e@mail.gmail.com>
	<43275C97.6020909@simmons.edu>
Message-ID: <8d9a428005091317171dc6705e@mail.gmail.com>

I am looking to schedule my test, can you tell me about how long it takes 
for the test?

-- 
Joseph Crawford Jr.
Codebowl Solutions, Inc.
1-802-671-2021
codebowl at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050913/a160b67e/attachment.html>

From dmintz at davidmintz.org  Tue Sep 13 20:46:29 2005
From: dmintz at davidmintz.org (David Mintz)
Date: Tue, 13 Sep 2005 20:46:29 -0400 (EDT)
Subject: [nycphp-talk] Zend certification
In-Reply-To: <43275C97.6020909@simmons.edu>
References: <20050913211652.28184.qmail@web36212.mail.mud.yahoo.com>
	<b76252690509131542442b289e@mail.gmail.com>
	<43275C97.6020909@simmons.edu>
Message-ID: <Pine.BSF.4.58.0509132046150.86367@emra.pair.com>

On Tue, 13 Sep 2005, Jonathan wrote:

> Hi all,
>
> After 5 years of using PHP I took the Zend certification exam and passed.

Yay!

---
David Mintz
http://davidmintz.org/


From prusak at gmail.com  Tue Sep 13 21:36:01 2005
From: prusak at gmail.com (Ophir Prusak)
Date: Tue, 13 Sep 2005 21:36:01 -0400
Subject: [nycphp-talk] Zend certification
In-Reply-To: <43275C97.6020909@simmons.edu>
References: <20050913211652.28184.qmail@web36212.mail.mud.yahoo.com>
	<b76252690509131542442b289e@mail.gmail.com>
	<43275C97.6020909@simmons.edu>
Message-ID: <f1dc81bb050913183641b87c22@mail.gmail.com>

Congrats !

As someone who previously taught PHP for Zend, a few comments.
Some of the people who wrote the test are on this list, so I'm sure
they can give you the "official" reply.
The way I see it, it's really more of door opener than a deal closer.
PHP is "notorious" for having people who call themselves PHP
programmers but don't know the first thing about computer science
concepts.
See http://www.prusak.com/archives/2004-11-04/how-did-we-get-here/ for
more details.
Just because someone passed the Zend certification doesn't make them a
good programmer, but it does mean:
1 - They take their commitment to PHP seriously
2 - They're aren't just a front end developer who's read a few
articles about PHP on the web.

I've interviewed many people for junior programming positions, and
some people will just about lie to get their foot in the door.

Ophir  


On 9/13/05, Jonathan <hendler at simmons.edu> wrote:
> Hi all,
> 
> After 5 years of using PHP I took the Zend certification exam and passed.
> Like the last sentence, it was a little anti-climactic.
> I don't know my score and would like to - I think.
> Over all I thought the test was fine for a low to mid level cert - but
> it wasn't enterprise level and somewhat jokingly I'd say it didn't make
> me feel like the as-advertised engineer.
> I don't want to sound too critical - overall, I am glad to see a
> certification program exists and it's not a bad start.
> I would think to be a zend engineer there is a whole other tier of
> applications, external libraries, and PHP 5 items that would be great
> for the next level certification.
> 
> - Jonathan Hendler
> 
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
>


From chris at theyellowbox.com  Tue Sep 13 23:36:01 2005
From: chris at theyellowbox.com (Chris Merlo)
Date: Tue, 13 Sep 2005 23:36:01 -0400
Subject: [nycphp-talk] Zend certification
In-Reply-To: <f1dc81bb050913183641b87c22@mail.gmail.com>
References: <20050913211652.28184.qmail@web36212.mail.mud.yahoo.com>
	<b76252690509131542442b289e@mail.gmail.com>
	<43275C97.6020909@simmons.edu>
	<f1dc81bb050913183641b87c22@mail.gmail.com>
Message-ID: <946586480509132036e05c443@mail.gmail.com>

On 9/13/05, Ophir Prusak <prusak at gmail.com> wrote:

I've interviewed many people for junior programming positions, and
> some people will just about lie to get their foot in the door.


Just curious, since I teach CS and CIS at the college level: Could you 
ballpark for me what percentage of candidates, and what percentage of people 
you actually hire, have associates and bachelors degrees? I'd be much 
appreciative.
-c

-- 
chris at theyellowbox.com
http://www.theyellowbox.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050913/0df2e3f5/attachment.html>

From 1j0lkq002 at sneakemail.com  Tue Sep 13 23:47:49 2005
From: 1j0lkq002 at sneakemail.com (inforequest)
Date: Tue, 13 Sep 2005 20:47:49 -0700
Subject: [nycphp-talk] worm/virus's hammering feedback scripts? POLISHED
 VERSION
In-Reply-To: <p06230922bf4cd7030c4d@[192.168.1.44]>
References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>	<43259BC2.4050604@omnistep.com>	<6.2.3.4.2.20050912120926.0244d060@mail.optonline.net>	<6.2.5.4.2.20050912231541.06c89ca8@rbnsn.com>	<b762526905091307434bd252cb@mail.gmail.com>
	<p06230922bf4cd7030c4d@[192.168.1.44]>
Message-ID: <7291-49880@sneakemail.com>

Marc Antony Vose suzerain-at-suzerain.com |nyphp dev/internal group use| 
wrote:

>At 10:43 AM -0400 9/13/05, csnyder wrote:
>  
>
>>I'm curious as to why we wouldn't just bail out and refuse to send the
>>email at all if someone posted input with CR or LF in it?
>>
>>Seems to me that if you have a form with <input type="text"
>>name="from" /> and you get a multiline $_POST['from'], then somebody
>>is trying to get away with something.
>>
>>    
>>
>
>
>At first this was freaking me out, too, but I just wanted to chime in 
>and say this is my preferred solution to this problem as well.
>
>I think if you receive any input that looks fishy (by whatever test 
>you choose...multiline 'from' lines seem like a good place to start), 
>you should just not send the email, and show your users "Sorry, try 
>again" or something.
>
>Cheers,
>
>  
>

Thanks for the enlightening discussion.

While I agree completely with pro-active judging of input data, there 
are cases where users cut-n-paste data into form fields (from Word, for 
example) and inadvertently transfer all sorts of garbage (including 
CR/LF stuff).

-=john andrews
http://www.seo-fun.com




From hendler at simmons.edu  Wed Sep 14 01:06:13 2005
From: hendler at simmons.edu (Jonathan)
Date: Wed, 14 Sep 2005 01:06:13 -0400
Subject: [nycphp-talk] Zend certification
In-Reply-To: <8d9a428005091317171dc6705e@mail.gmail.com>
References: <20050913211652.28184.qmail@web36212.mail.mud.yahoo.com>	<b76252690509131542442b289e@mail.gmail.com>	<43275C97.6020909@simmons.edu>
	<8d9a428005091317171dc6705e@mail.gmail.com>
Message-ID: <4327AFC5.6030508@simmons.edu>

If I remember correctly you are given 80 minutes for 70 questions.

Joseph Crawford wrote:

> I am looking to schedule my test, can you tell me about how long it 
> takes for the test?
>
> -- 
> Joseph Crawford Jr.
> Codebowl Solutions, Inc.
> 1-802-671-2021
> codebowl at gmail.com <mailto:codebowl at gmail.com>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>New York PHP Talk Mailing List
>AMP Technology
>Supporting Apache, MySQL and PHP
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.nyphp.org
>



From lists at zaunere.com  Wed Sep 14 07:16:29 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Wed, 14 Sep 2005 07:16:29 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback
	scripts?POLISHED	VERSION
In-Reply-To: <OF00101133.FE4DE49A-ON8525707B.0014407F-8525707B.001465D7@us.ibm.com>
Message-ID: <0MKoyl-1EFVFc47SS-0007Bk@mrelay.perfora.net>



Daniel Krook scribbled on Monday, September 12, 2005 11:43 PM:
> > Is this exploit PHP specific?  Although I haven't
> > confirmed, the nature of
> > the vulnerability would appear to effect any mailing web
> > form, in nearly any
> > language.  Can anyone provide additional details?
> 
> 
> Hmm,
> 
> An interesting question...
> 
> > From my experience developing feedback forms in Java using the
> > JavaMail 
> API, the "to" or "from" email addresses are of the type
> javax.mail.internet.InternetAddress, which takes a String in its
> constructor and throws an exception
> (javax.mail.internet.AddressException) if the address can not be
> parsed in RFC822 format (the default): 
> 
>
http://java.sun.com/products/javamail/javadocs/javax/mail/internet/InternetA
ddress.html#InternetAddress(java.lang.String)
> 
> These InternetAddress objects are normally given to an instance of
> type javax.mail.internet.MimeMessage which is itself given an
> instance of javax.mail.Session.   You often set MimeMessage's
> recipients with methods which take InternetAddresses, but can also
> take raw Strings. 
> 
> The setSubject method of MimeMessage takes Strings, and it explicitly
> notes in the Javadoc that "The application must ensure that the
> subject does not contain any line breaks", which seems to suggest
> that it is also known to be vulnerable to an exploit of this nature.
> 
>
http://java.sun.com/products/javamail/javadocs/javax/mail/internet/MimeMessa
ge.html#setSubject(java.lang.String)
> 
> So it would seem if you ventured past the parts of the JavaMail API
> which allow you to use Strings, instead of creating InternetAddress
> objects and hardcoding the subject, you would be "safe" from the
> exploit, but you should double check any methods that you are using
> that expect Strings.

Good point - looks like justification for a wrapper class for the mail()
function in PHP.

We're working on getting a Phundamentals article online covering the
discussion over the last couple of days.  Thanks Roland and everyone for
their feedback and discussion.


---
Hans Zaunere / President / New York PHP
   www.nyphp.org  /  www.nyphp.com





From dmintz at davidmintz.org  Wed Sep 14 11:20:13 2005
From: dmintz at davidmintz.org (David Mintz)
Date: Wed, 14 Sep 2005 11:20:13 -0400 (EDT)
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?POLISHED
 VERSION
In-Reply-To: <0MKoyl-1EFVFc47SS-0007Bk@mrelay.perfora.net>
References: <0MKoyl-1EFVFc47SS-0007Bk@mrelay.perfora.net>
Message-ID: <Pine.BSF.4.58.0509141118240.9367@emra.pair.com>

On Wed, 14 Sep 2005, Hans Zaunere wrote:
> >
> > So it would seem if you ventured past the parts of the JavaMail API
> > which allow you to use Strings, instead of creating InternetAddress
> > objects and hardcoding the subject, you would be "safe" from the
> > exploit, but you should double check any methods that you are using
> > that expect Strings.
>
> Good point - looks like justification for a wrapper class for the mail()
> function in PHP.
>
> We're working on getting a Phundamentals article online covering the
> discussion over the last couple of days.  Thanks Roland and everyone for
> their feedback and discussion.

And that class would sanitize message headers only, or the body as well? I
am still unclear whether evil stuff in the body can spawn a completely new
message.

---
David Mintz
http://davidmintz.org/


From hendler at simmons.edu  Wed Sep 14 14:46:49 2005
From: hendler at simmons.edu (Jonathan)
Date: Wed, 14 Sep 2005 14:46:49 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts? POLISHED
 VERSION
In-Reply-To: <p06230922bf4cd7030c4d@[192.168.1.44]>
References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>	<43259BC2.4050604@omnistep.com>	<6.2.3.4.2.20050912120926.0244d060@mail.optonline.net>	<6.2.5.4.2.20050912231541.06c89ca8@rbnsn.com>	<b762526905091307434bd252cb@mail.gmail.com>
	<p06230922bf4cd7030c4d@[192.168.1.44]>
Message-ID: <43287019.9020201@simmons.edu>

An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050914/ba6112a6/attachment.html>

From dmintz at davidmintz.org  Wed Sep 14 15:29:19 2005
From: dmintz at davidmintz.org (David Mintz)
Date: Wed, 14 Sep 2005 15:29:19 -0400 (EDT)
Subject: [nycphp-talk] worm/virus's hammering feedback scripts? POLISHED
 VERSION
In-Reply-To: <7291-49880@sneakemail.com>
References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>
	<43259BC2.4050604@omnistep.com>
	<6.2.3.4.2.20050912120926.0244d060@mail.optonline.net>
	<6.2.5.4.2.20050912231541.06c89ca8@rbnsn.com>
	<b762526905091307434bd252cb@mail.gmail.com>
	<p06230922bf4cd7030c4d@[192.168.1.44]> <7291-49880@sneakemail.com>
Message-ID: <Pine.BSF.4.58.0509141527050.73509@emra.pair.com>

On Tue, 13 Sep 2005, inforequest wrote:

> [....]
> Thanks for the enlightening discussion.
>
> While I agree completely with pro-active judging of input data, there
> are cases where users cut-n-paste data into form fields (from Word, for
> example) and inadvertently transfer all sorts of garbage (including
> CR/LF stuff).

How about this: if you are expecting single-line input such as a last
name, first trim() it, then test it for embedded CR/LF

---
David Mintz
http://davidmintz.org/


From lists at zaunere.com  Wed Sep 14 21:31:05 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Wed, 14 Sep 2005 21:31:05 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?POLISHED
	VERSION
In-Reply-To: <Pine.BSF.4.58.0509141118240.9367@emra.pair.com>
Message-ID: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net>



David Mintz scribbled on Wednesday, September 14, 2005 11:20 AM:
> On Wed, 14 Sep 2005, Hans Zaunere wrote:
> > > 
> > > So it would seem if you ventured past the parts of the JavaMail
> > > API which allow you to use Strings, instead of creating
> > > InternetAddress objects and hardcoding the subject, you would be
> > > "safe" from the exploit, but you should double check any methods
> > > that you are using that expect Strings.
> > 
> > Good point - looks like justification for a wrapper class for the
> > mail() function in PHP. 
> > 
> > We're working on getting a Phundamentals article online covering the
> > discussion over the last couple of days.  Thanks Roland and
> > everyone for their feedback and discussion.
> 
> And that class would sanitize message headers only, or the body as
> well? I am still unclear whether evil stuff in the body can spawn a
> completely new message.

That class - if it existed :) - would sanitize any user input before
entering the mail() function - ie, anything that could get into the header.

The basic premise of this exploit is leveraging the MIME and SMTP standards,
not PHP.  As we've discussed and Dan Krook pointed out, some languages like
Java have specific classes that are meant to wrap what is passed into a mail
message.  This is essentially what a wrapper class in PHP would do.  If,
however, these classes are not used - and generic strings are used - then
it's likely that any web form is vulnerable.

The reason for this is how the MIME standard works, and thus how SMTP
interprets MIME messages.  A basic MIME message is broken into two parts; a
header and a body.  The header and body are separated by a blank line, ie,
\r\n\r\n (although most mail clients will accept UNIX and other line
deliminaters, like \n\n or even \n\r\n\r).

Another aspect of MIME is multi-part, which is where the fun comes in.  This
means that messages can be embedded in other messages.  This is done by
having the top level header declare a boundary, which is then used to
process further header/body pairs.

If someone is able to inject content into this top level header, they can
now essentially control the structure of the entire message.  This is done
by creating their own boundary, thus defining what's a body and what's a
header.

The other significant point of weakness that's taken advantage of is the
fact that MIME (and sub sequentially really SMTP in this case) can deal with
multiple headers of the same name.  Meaning, if there is a To: followed by a
To: they are interpreted "correctly" (ie, no error is thrown).

Putting it all together, this allows an attacker to define additional
recipients for a message, not to mention adding Bcc: and Cc: headers (using
multiple headers of the same name), and additionally then defining body
parts to be sent as the content of the message (by defining a multi-part
message).

So the upshot:  filter/sanitize anything that can get into the top-level
header and you're safe - from this exploit anyway.

An ingenuous hack really; by combining innocuous - and frankly useful -
features of MIME/SMTP, they were able to create a security problem.  But
then again, isn't that what security is always about?  :)


---
Hans Zaunere / President / New York PHP
   www.nyphp.org  /  www.nyphp.com




From mail at billyreisinger.com  Wed Sep 14 22:22:25 2005
From: mail at billyreisinger.com (Billy Reisinger)
Date: Wed, 14 Sep 2005 22:22:25 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?POLISHED
	VERSION
In-Reply-To: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net>
References: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net>
Message-ID: <DE2AB96B-8EC3-466F-8592-976CB30E79C2@billyreisinger.com>

Thanks, Hans - that's a very good explanation that's easy to understand!
Cheers,
Billy Reisinger


> That class - if it existed :) - would sanitize any user input before
> entering the mail() function - ie, anything that could get into the  
> header.
>
> The basic premise of this exploit is leveraging the MIME and SMTP  
> standards,
> not PHP.  As we've discussed and Dan Krook pointed out, some  
> languages like
> Java have specific classes that are meant to wrap what is passed  
> into a mail
> message.  This is essentially what a wrapper class in PHP would  
> do.  If,
> however, these classes are not used - and generic strings are used  
> - then
> it's likely that any web form is vulnerable.
>
> The reason for this is how the MIME standard works, and thus how SMTP
> interprets MIME messages.  A basic MIME message is broken into two  
> parts; a
> header and a body.  The header and body are separated by a blank  
> line, ie,
> \r\n\r\n (although most mail clients will accept UNIX and other line
> deliminaters, like \n\n or even \n\r\n\r).
>
> Another aspect of MIME is multi-part, which is where the fun comes  
> in.  This
> means that messages can be embedded in other messages.  This is  
> done by
> having the top level header declare a boundary, which is then used to
> process further header/body pairs.
>
> If someone is able to inject content into this top level header,  
> they can
> now essentially control the structure of the entire message.  This  
> is done
> by creating their own boundary, thus defining what's a body and  
> what's a
> header.
>
> The other significant point of weakness that's taken advantage of  
> is the
> fact that MIME (and sub sequentially really SMTP in this case) can  
> deal with
> multiple headers of the same name.  Meaning, if there is a To:  
> followed by a
> To: they are interpreted "correctly" (ie, no error is thrown).
>
> Putting it all together, this allows an attacker to define additional
> recipients for a message, not to mention adding Bcc: and Cc:  
> headers (using
> multiple headers of the same name), and additionally then defining  
> body
> parts to be sent as the content of the message (by defining a multi- 
> part
> message).
>
> So the upshot:  filter/sanitize anything that can get into the top- 
> level
> header and you're safe - from this exploit anyway.
>
> An ingenuous hack really; by combining innocuous - and frankly  
> useful -
> features of MIME/SMTP, they were able to create a security  
> problem.  But
> then again, isn't that what security is always about?  :)
>
>
> ---
> Hans Zaunere / President / New York PHP
>    www.nyphp.org  /  www.nyphp.com
>
>
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050914/12bd11f6/attachment.html>

From matthijsenator at gmail.com  Thu Sep 15 02:03:39 2005
From: matthijsenator at gmail.com (matthijs abeelen)
Date: Thu, 15 Sep 2005 08:03:39 +0200
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?POLISHED
	VERSION
In-Reply-To: <DE2AB96B-8EC3-466F-8592-976CB30E79C2@billyreisinger.com>
References: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net>
	<DE2AB96B-8EC3-466F-8592-976CB30E79C2@billyreisinger.com>
Message-ID: <c905c3ce05091423037054eba6@mail.gmail.com>

This problem is spreading very fast, a good summery of the best solution(s) 
is needed indeed. Unfortunately, I'm not the one who can do that. Waiting 
eagerly for the article on Phundamentals!

"We're working on getting a Phundamentals article online covering the
discussion over the last couple of days.  Thanks Roland and everyone for
their feedback and discussion."


At the moment I'm using the following script:
<?php
// http://www.codingforums.com/showthread.php?t=67546

function email_injection_filter($formInput) 
{ 
$injectionStrings = array("apparently-to", 
"bcc", 
"boundary=", 
"charset", 
"content-disposition", 
"content-type", 
"content-transfer-encoding", 
"errors-to", 
"in-reply-to", 
"message-id", 
"mime-version", 
"multipart/mixed", 
"multipart/alternative", 
"multipart/related", 
"reply-to", 
"x-mailer", 
"x-sender", 
"x-uidl" 
); 
foreach ($injectionStrings as $spam) 
{ 
$pos = strpos(strtolower($formInput), $spam); 
if ($pos !== false) 
{ 
error_log("Email injection attempt - From IP: " . $_SERVER['REMOTE_ADDR'] . 
" | Server Time: " . date('m\/d\/y, h:i:s A'), 1, "mymail at domain.com"); 

exit("<html><body><p>Error message here.</p></body></html>"); 

} 
} 
}
?>

And then after receiving the POST variables I'll do:
foreach ($_POST as $formInput)
{
email_injection_filter($formInput);
}

Could anyone give some feedback on this particular script? I know there have 
been given/proposed many filters already. But the sheer amount of them is a 
bit overwhelming and it seems there's still no consensus on the best 
solution.

Thanks,
Matthijs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050915/fadeb5c2/attachment.html>

From 1j0lkq002 at sneakemail.com  Thu Sep 15 03:48:56 2005
From: 1j0lkq002 at sneakemail.com (inforequest)
Date: Thu, 15 Sep 2005 00:48:56 -0700
Subject: [nycphp-talk] AJAX functionality at search.yahoo.com
In-Reply-To: <c905c3ce05091423037054eba6@mail.gmail.com>
References: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net>	<DE2AB96B-8EC3-466F-8592-976CB30E79C2@billyreisinger.com>
	<c905c3ce05091423037054eba6@mail.gmail.com>
Message-ID: <26127-23125@sneakemail.com>

It's midnight here in the Northwest, so you east-coast coders are 
probably getting ready to stop working right about now (3 hours ahead of 
me is 3am, so that's about right :-)

You might want to check out search.yahoo.com. Any hour now they are 
launching an AJAX-like fast-search utility that pops up actual query 
results Google Suggest style. The thing is, these will be actual 
RESULTS. If it's good, doe sit mean no more SERPs?? There is alot of 
buzz starting already.... this should be cool (?)

-=john andrews
http://www.seo-fun.com


From mikko.rantalainen at peda.net  Thu Sep 15 05:04:16 2005
From: mikko.rantalainen at peda.net (Mikko Rantalainen)
Date: Thu, 15 Sep 2005 12:04:16 +0300
Subject: [nycphp-talk] Filtering input to be appended inside email
In-Reply-To: <20050913145831.GA14467@panix.com>
References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>	<OF5DF984F9.3FB9FD24-ON8525707A.0049C9FA-8525707A.004A5324@us.ibm.com>	<0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>	<43259BC2.4050604@omnistep.com>
	<20050912162018.GA22938@panix.com>	<6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net>	<20050912183529.GA1332@panix.com>
	<4326DFE6.6@peda.net> <20050913145831.GA14467@panix.com>
Message-ID: <43293910.40102@peda.net>

Daniel Convissor wrote:
> Hey Mikko:
> On Tue, Sep 13, 2005 at 05:19:18PM +0300, Mikko Rantalainen wrote:
> 
>>	# header cannot contain CRLF
>>	# our implementation strips out CRs, make sure all LFs
>>	# are safe and reinserts CRs
>>	$value = preg_replace("@\r@","",trim($value));
>>	$value = preg_replace("@\n@","\n ",$value);
>>	$value = preg_replace("@\n@","\r\n",$value);
> 
> That can be done in one call (untested):
>     $value = preg_replace("/[\r\n]+/", "\r\n ", trim($value));

Yeah, that can be done in one call, but let's include the 'g' so 
that we are safe even if the input includes multiple lines of text. 
Also, allow multiple linefeeds to follow each other without 
discarding information (if input has "\r\n\r\n\r\n" then output 
should have "\r\n \r\n \r\n").

Let's try again:
   $value = preg_replace("#\r*\n#g", "\r\n ", trim($value));

Note that this version still allows invalid input such as 
"word1\rword2".

Even if you decide to use the original version with three 
preg_replace()s, add the missing 'g's after second @.

> I see the point of this is putting a space at the beginning of the line so 
> the input doesn't get interpreted as a new header line.  But in my 
> opinion, when user input is involved, allowing \r or \n isn't wise in the 
> first place.

See the RFC 2822. Including line feeds is okay as long as the next 
line starts with a space. I'm always trying to make the most generic 
function that's still safe without discarding any information that I 
can still keep (in this case, LFs).

-- 
Mikko


From hans at cyberxdesigns.com  Thu Sep 15 07:12:48 2005
From: hans at cyberxdesigns.com (Hans C. Kaspersetz)
Date: Thu, 15 Sep 2005 07:12:48 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?POLISHED
 VERSION
In-Reply-To: <c905c3ce05091423037054eba6@mail.gmail.com>
References: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net>	<DE2AB96B-8EC3-466F-8592-976CB30E79C2@billyreisinger.com>
	<c905c3ce05091423037054eba6@mail.gmail.com>
Message-ID: <43295730.3090705@cyberxdesigns.com>

This might be a silly question, but with this solution are you still 
vulnerable if the hack comes in another character encoding?

HCK


matthijs abeelen wrote:

>This problem is spreading very fast, a good summery of the best solution(s) 
>is needed indeed. Unfortunately, I'm not the one who can do that. Waiting 
>eagerly for the article on Phundamentals!
>
>"We're working on getting a Phundamentals article online covering the
>discussion over the last couple of days.  Thanks Roland and everyone for
>their feedback and discussion."
>
>
>At the moment I'm using the following script:
><?php
>// http://www.codingforums.com/showthread.php?t=67546
>
>function email_injection_filter($formInput) 
>{ 
>$injectionStrings = array("apparently-to", 
>"bcc", 
>"boundary=", 
>"charset", 
>"content-disposition", 
>"content-type", 
>"content-transfer-encoding", 
>"errors-to", 
>"in-reply-to", 
>"message-id", 
>"mime-version", 
>"multipart/mixed", 
>"multipart/alternative", 
>"multipart/related", 
>"reply-to", 
>"x-mailer", 
>"x-sender", 
>"x-uidl" 
>); 
>foreach ($injectionStrings as $spam) 
>{ 
>$pos = strpos(strtolower($formInput), $spam); 
>if ($pos !== false) 
>{ 
>error_log("Email injection attempt - From IP: " . $_SERVER['REMOTE_ADDR'] . 
>" | Server Time: " . date('m\/d\/y, h:i:s A'), 1, "mymail at domain.com"); 
>
>exit("<html><body><p>Error message here.</p></body></html>"); 
>
>} 
>} 
>}
>?>
>
>And then after receiving the POST variables I'll do:
>foreach ($_POST as $formInput)
>{
>email_injection_filter($formInput);
>}
>
>Could anyone give some feedback on this particular script? I know there have 
>been given/proposed many filters already. But the sheer amount of them is a 
>bit overwhelming and it seems there's still no consensus on the best 
>solution.
>
>Thanks,
>Matthijs
>
>  
>
>------------------------------------------------------------------------
>
>_______________________________________________
>New York PHP Talk Mailing List
>AMP Technology
>Supporting Apache, MySQL and PHP
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.nyphp.org
>


From mwithington at PLMresearch.com  Thu Sep 15 08:35:30 2005
From: mwithington at PLMresearch.com (Mark Withington)
Date: Thu, 15 Sep 2005 08:35:30 -0400
Subject: [nycphp-talk] Mantis/Subversion integration
Message-ID: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF2886@network.PLMresearch.com>

Perhaps slightly OT:

I'm running Subversion locally and Mantis bug tracker on my web server.  The
process of integration requires Subversion to call a batch script (.bat on
my Windoz box) that will in turn run a Mantis PHP script.  I'm planning to
do this via telnet (as the Mantis script - correctly - will not allow this
particular PHP script to be run via the server).  Soooooo.....

Any DOS wizards out there that might be able to help me write the shell/bat
script?  I know how to do it if both Subversion and Mantis were both on the
same box, just unsure how to do it on different boxes (one local, one
remote).

ALSO, if I'm off-base with my Telnet approach I would appreciate ideas there
also...

Thanks,

Mark

--------------------------
Mark L. Withington
PLMresearch
"eBusiness for the Midsize Enterprise"
PO Box 1354
Plymouth, MA  02362
o: 800-310-3992 ext. 704
f: 508-746-4973
v: 508-746-2383
m: 508-801-0181
http://www.PLMresearch.com
Netscape/AOL/MSN IM: PLMresearch
mwithington at plmresearch.com
Public Key: http://www.plmresearch.com/keys/MLW_public_key.asc
Calendar: http://www.plmresearch.com/calendar.php


From danielc at analysisandsolutions.com  Thu Sep 15 08:42:34 2005
From: danielc at analysisandsolutions.com (Daniel Convissor)
Date: Thu, 15 Sep 2005 08:42:34 -0400
Subject: [nycphp-talk] Filtering input to be appended inside email
In-Reply-To: <43293910.40102@peda.net>
References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>
	<OF5DF984F9.3FB9FD24-ON8525707A.0049C9FA-8525707A.004A5324@us.ibm.com>
	<0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>
	<43259BC2.4050604@omnistep.com> <20050912162018.GA22938@panix.com>
	<6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net>
	<20050912183529.GA1332@panix.com> <4326DFE6.6@peda.net>
	<20050913145831.GA14467@panix.com> <43293910.40102@peda.net>
Message-ID: <20050915124234.GA29328@panix.com>

On Thu, Sep 15, 2005 at 12:04:16PM +0300, Mikko Rantalainen wrote:
> Daniel Convissor wrote:
> > 
> >     $value = preg_replace("/[\r\n]+/", "\r\n ", trim($value));
> 
> Yeah, that can be done in one call, but let's include the 'g' so 
> that we are safe even if the input includes multiple lines of text. 

A few things.  

"g" isn't an official pattern modifier (aka "Internal option letter") 
(http://www.php.net/manual/en/reference.pcre.pattern.syntax.php).  
Perhaps you mean for it to be greedy, but PHP's preg is greedy by default.  
The "U" modifier makes things un-greedy.

The pattern I presented replaces any \r, \n or combination thereof in any 
order and of any length.  So, since those ARE the characters that define 
line breaks, there's no need for the multi-line modifier, "m".


>    $value = preg_replace("#\r*\n#g", "\r\n ", trim($value));

That pattern isn't 100% effective.  For example, you won't catch a 
plain \r on it's own.  OH, I see below that's your intention...


> Note that this version still allows invalid input such as 
> "word1\rword2".

While that may be allowed, I wouldn't trust that _at_ _all_.  Most mail 
programs are forgiving and might consider "word2" a header.

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409


From lists at zaunere.com  Thu Sep 15 09:01:22 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Thu, 15 Sep 2005 09:01:22 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback scripts?POLISHED
	VERSION
In-Reply-To: <43295730.3090705@cyberxdesigns.com>
Message-ID: <0MKp2t-1EFtMi2l92-0003co@mrelay.perfora.net>



Hans C. Kaspersetz scribbled on Thursday, September 15, 2005 7:13 AM:
> This might be a silly question, but with this solution are you still
> vulnerable if the hack comes in another character encoding?

That's a good question.  I believe that headers are expected to be in
US-ASCII.  While that's how it was in the original spec, there may be
addendum specs that I'm not aware of (I don't read RFCs for a living anymore
:)

Most MTAs will likely break with non-ASCII headers anyway, even if it's
allowed in some RFC.  Again, there are likely fringe cases, but most who use
sendmail/postfix/your-mta-hear are probably immune.


---
Hans Zaunere / President / New York PHP
   www.nyphp.org  /  www.nyphp.com





From rrust at r2communications.com  Thu Sep 15 08:58:15 2005
From: rrust at r2communications.com (Randal Rust)
Date: Thu, 15 Sep 2005 07:58:15 -0500
Subject: [nycphp-talk] Convert Word to PDF online with PHP
Message-ID: <1126789095.43296fe73fc86@webmail.r2communications.com>

I have a client who would like to upload Word files to the site and have them
converted to PDF on the fly. I'm not really turning up anything via Google that
seems to fit the bill. Any thoughts?

I told them to just buy Click To Convert for $90 USD and be done with it, but
they insist... 

Randal Rust

-----------------------------
R.Squared Communications
Digital Design for Bricks-and-Mortar Business
www.r2communications.com



From mikko.rantalainen at peda.net  Thu Sep 15 10:10:22 2005
From: mikko.rantalainen at peda.net (Mikko Rantalainen)
Date: Thu, 15 Sep 2005 17:10:22 +0300
Subject: [nycphp-talk] Filtering input to be appended inside email
In-Reply-To: <20050915124234.GA29328@panix.com>
References: <0MKp2t-1EEVZL04AF-0004KA@mrelay.perfora.net>	<OF5DF984F9.3FB9FD24-ON8525707A.0049C9FA-8525707A.004A5324@us.ibm.com>	<0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>	<43259BC2.4050604@omnistep.com>
	<20050912162018.GA22938@panix.com>	<6.2.3.4.2.20050912123707.0246ca40@mail.optonline.net>	<20050912183529.GA1332@panix.com>
	<4326DFE6.6@peda.net>	<20050913145831.GA14467@panix.com>
	<43293910.40102@peda.net> <20050915124234.GA29328@panix.com>
Message-ID: <432980CE.8040208@peda.net>

Daniel Convissor wrote:
> On Thu, Sep 15, 2005 at 12:04:16PM +0300, Mikko Rantalainen wrote:
> 
>>Daniel Convissor wrote:
>>
>>>    $value = preg_replace("/[\r\n]+/", "\r\n ", trim($value));
>>
>>Yeah, that can be done in one call, but let's include the 'g' so 
>>that we are safe even if the input includes multiple lines of text. 
> 
> "g" isn't an official pattern modifier (aka "Internal option letter") 
> (http://www.php.net/manual/en/reference.pcre.pattern.syntax.php).  
> Perhaps you mean for it to be greedy, but PHP's preg is greedy by default.  
> The "U" modifier makes things un-greedy.

Yes, you're right, of course. I hate when they make it look like 
Perl but don't actually copy the behavior. In Perl, the 'g' option 
makes replacement pattern to replace *all* matches - by default Perl 
regexes only replace the first occurrence.

> The pattern I presented replaces any \r, \n or combination thereof in any 
> order and of any length.  So, since those ARE the characters that define 
> line breaks, there's no need for the multi-line modifier, "m".

As I wrote:
>> if input has "\r\n\r\n\r\n" then output should have "\r\n \r\n \r\n"

Your pattern replaces the above input with exactly one CRLF pair. If 
you just want to discard all line feeds, then it's fine to use that 
pattern and use space " " as a replacement. However, as I wanted to 
keep as much information as possible, I'm trying to keep all the 
three line feeds in the output so I cannot just match a sequence of
"\r" and "\n" characters.

A correct implementation following the RFC would also make sure that 
no line exceeds 1000 characters and it *should* wrap lines at 
maximum of 78 characters.

-- 
Mikko


From nestorflorez at earthlink.net  Thu Sep 15 12:28:08 2005
From: nestorflorez at earthlink.net (Nestor Florez)
Date: Thu, 15 Sep 2005 09:28:08 -0700 (GMT-07:00)
Subject: [nycphp-talk] Convert Word to PDF online with PHP
Message-ID: <23797934.1126801688892.JavaMail.root@elwamui-milano.atl.sa.earthlink.net>

OpenOffice will convert the word document to PDF

Nestor :-)

-----Original Message-----
From: Randal Rust <rrust at r2communications.com>
Sent: Sep 15, 2005 5:58 AM
To: NYPHP Talk <talk at lists.nyphp.org>
Subject: [nycphp-talk] Convert Word to PDF online with PHP

I have a client who would like to upload Word files to the site and have them
converted to PDF on the fly. I'm not really turning up anything via Google that
seems to fit the bill. Any thoughts?

I told them to just buy Click To Convert for $90 USD and be done with it, but
they insist... 

Randal Rust

-----------------------------
R.Squared Communications
Digital Design for Bricks-and-Mortar Business
www.r2communications.com

_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org





From matt at jobsforge.com  Thu Sep 15 12:55:18 2005
From: matt at jobsforge.com (Matthew Terenzio)
Date: Thu, 15 Sep 2005 12:55:18 -0400
Subject: [nycphp-talk] AJAX functionality at search.yahoo.com
In-Reply-To: <26127-23125@sneakemail.com>
References: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net>	<DE2AB96B-8EC3-466F-8592-976CB30E79C2@billyreisinger.com>
	<c905c3ce05091423037054eba6@mail.gmail.com>
	<26127-23125@sneakemail.com>
Message-ID: <5cc639d1b3e887305dea439a9649489f@jobsforge.com>


On Sep 15, 2005, at 3:48 AM, inforequest wrote:

> The thing is, these will be actual
> RESULTS. If it's good, doe sit mean no more SERPs??

Could you explain what you mean? I ought to have a look at it  and 
maybe it will be clearer.



From greg.rundlett at gmail.com  Thu Sep 15 15:51:10 2005
From: greg.rundlett at gmail.com (Greg Rundlett)
Date: Thu, 15 Sep 2005 15:51:10 -0400
Subject: [nycphp-talk] Mantis/Subversion integration
In-Reply-To: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF2886@network.PLMresearch.com>
References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF2886@network.PLMresearch.com>
Message-ID: <5e2aaca4050915125160559d52@mail.gmail.com>

quick and easy

 *function* openUrl($url) {
       *// Fake the browser type*
       *// ini_set('user_agent','MSIE 4\.0b2;');*
    $handle = fopen($url, "rb");
    $contents = '';
    if($handle) {
        while (!feof($handle)) {
            $contents .= fread($handle, 8192);
        }
        fclose($handle);       
    }
    else {
        $contents = 'Error opening $url' . $url;
    }
    return $contents;
} 



print $contents = openUrl('http://www.google.com');
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050915/5f53eb10/attachment.html>

From greg.rundlett at gmail.com  Thu Sep 15 15:53:07 2005
From: greg.rundlett at gmail.com (Greg Rundlett)
Date: Thu, 15 Sep 2005 15:53:07 -0400
Subject: [nycphp-talk] Mantis/Subversion integration
In-Reply-To: <5e2aaca4050915125160559d52@mail.gmail.com>
References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF2886@network.PLMresearch.com>
	<5e2aaca4050915125160559d52@mail.gmail.com>
Message-ID: <5e2aaca4050915125358a7ccd5@mail.gmail.com>

On 9/15/05, Greg Rundlett <greg.rundlett at gmail.com> wrote:
> 
> quick and easy
> 
> *function* openUrl($url) {
>        *// Fake the browser type*
>        *// ini_set('user_agent','MSIE 4\.0b2;');*
>     $handle = fopen($url
> , "rb");
>     $contents = '';
>     if($handle) {
>         while (!feof(
> $handle)) {
>             $contents .= fread($handle
> , 8192);
>         }
>         fclose($handle);       
>     }
>     else {
>         $contents = 'Error opening $url' . $url
> ;
>     }
>     return $contents;
> } 
> 
> 
> 
> print $contents = openUrl('http://www.google.com')<http://www.google.com%27%29>
> ;
> 
> and run that from the bat as php.exe -f myUrlGetter.php url=
http://www.foo.com

of course then you'd perhaps want to add in Console/GetOpt.php (from PEAR) 
to parse the command-line args
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050915/f8653537/attachment.html>

From mwithington at PLMresearch.com  Thu Sep 15 16:05:15 2005
From: mwithington at PLMresearch.com (Mark Withington)
Date: Thu, 15 Sep 2005 16:05:15 -0400
Subject: [nycphp-talk] Mantis/Subversion integration
Message-ID: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE358EF2897@network.PLMresearch.com>

To paraphrase Homer Simpson, "Doh!"  
 
PHP's CLI, brilliant.  Thanks Greg.
 
 

--------------------------
Mark L. Withington
PLMresearch
v: 508-746-2383
m: 508-801-0181
Calendar: http://www.plmresearch.com/calendar.php
<http://www.plmresearch.com/calendar.php> 




-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Greg Rundlett
Sent: Thursday, September 15, 2005 3:53 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Mantis/Subversion integration




On 9/15/05, Greg Rundlett <greg.rundlett at gmail.com
<mailto:greg.rundlett at gmail.com> > wrote: 

quick and easy


function openUrl($url) {
       

// Fake the browser type
       // ini_set('user_agent','MSIE 4\.0b2;');
    $handle = 

fopen($url
, "rb"

);
    $contents = '';
    if

($handle) {
        while 

(!feof(
$handle)) {
            

$contents .= fread($handle


, 8192);
        }
        fclose(

$handle);       
    }
    else {
        

$contents = 'Error opening $url' . $url
;
    }
    

return $contents;
} 


print $contents = openUrl('http://www.google.com')
<http://www.google.com%27%29> ;



and run that from the bat as php.exe -f myUrlGetter.php
url=http://www.foo.com <http://www.foo.com> 

of course then you'd perhaps want to add in Console/GetOpt.php (from PEAR)
to parse the command-line args 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050915/ca5afcf0/attachment.html>

From cfontaine at spidmail.net  Thu Sep 15 16:30:15 2005
From: cfontaine at spidmail.net (Cedric Fontaine)
Date: Thu, 15 Sep 2005 16:30:15 -0400
Subject: [nycphp-talk] zencart help list
Message-ID: <4329D9D7.2080508@spidmail.net>

Hello,

I have a problem with zencart not redirecting from
main_page=checkout_process to main_page=checkout_success

I get a blank page on checkout_process and I don't know why.

cache/ dir is empty
no mod_gzip activated

And I try to find the problem and it seems that Header("Location...) is
not sent or not interpreted...

You guys, are you using it ? Is there any mailing list resources ?

Thanks

Cedric




From 1j0lkq002 at sneakemail.com  Thu Sep 15 17:31:03 2005
From: 1j0lkq002 at sneakemail.com (inforequest)
Date: Thu, 15 Sep 2005 14:31:03 -0700
Subject: [nycphp-talk] AJAX functionality at search.yahoo.com
In-Reply-To: <5cc639d1b3e887305dea439a9649489f@jobsforge.com>
References: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net>	<DE2AB96B-8EC3-466F-8592-976CB30E79C2@billyreisinger.com>	<c905c3ce05091423037054eba6@mail.gmail.com>	<26127-23125@sneakemail.com>
	<5cc639d1b3e887305dea439a9649489f@jobsforge.com>
Message-ID: <30346-14369@sneakemail.com>

Matthew Terenzio matt-at-jobsforge.com |nyphp dev/internal group use| 
wrote:

>On Sep 15, 2005, at 3:48 AM, inforequest wrote:
>
>  
>
>>The thing is, these will be actual
>>RESULTS. If it's good, doe sit mean no more SERPs??
>>    
>>
>
>Could you explain what you mean? I ought to have a look at it  and 
>maybe it will be clearer.
>  
>
Yes. That was based on rumor.... so naturally it was a bit off. The 
service did launch as beta but it's here http://instant.search.yahoo.com/

-=john andrews
http://www.seo-fun.com when Dreamhost isn't down


From rsa at barrett.com.au  Thu Sep 15 19:44:35 2005
From: rsa at barrett.com.au (Russell Aronson)
Date: Fri, 16 Sep 2005 09:44:35 +1000
Subject: [nycphp-talk] PHP segmentation fault with custom-compiled binaries
 -Zen Cart
Message-ID: <432A0763.9090300@barrett.com.au>

I had the same problem about a week ago. i could connect to the mysql 
server through php but when i pulled data, the apache process would 
segfault. I had also compiled the php5 and mysql 4.1.12 packages from 
source. i took a look at phpinfo from within a browser and also from the 
command line. i realized that the mysql client api version was 3.23 
(which was different to the mysql server version i was running) in the 
browser but not on the command line. i had both 3.23 and 4.1 mysql 
client libraries installed because perl-DBI and mod_auth_mysql required 
the older version...

The problem is something like this. mod_auth_mysql loaded the 
mysqlclient10-3.23 libraries into the apache process which overwrote the 
other mysql client libraries that php loaded. when php uses a mysql 
function, it goes through a module compiled for mysql 4.1 libraries, but 
in this case, it links to a library compiled for mysql 3.23 because of 
mod_auth_mysql.

To fix the problem, just remove any apache module that uses the 
mysqlclient10-3.23 libraries, ie. mod_auth_mysql.

-- 
Russell Aronson, Web Development & System Administration
Barrett Consulting Group Pty Ltd
Phone: +61 3 9532 7677, Fax: +61 3 9532 7388
http://www.barrett.com.au



From matt at jobsforge.com  Thu Sep 15 20:44:24 2005
From: matt at jobsforge.com (Matthew Terenzio)
Date: Thu, 15 Sep 2005 20:44:24 -0400
Subject: [nycphp-talk] AJAX functionality at search.yahoo.com
In-Reply-To: <30346-14369@sneakemail.com>
References: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net>	<DE2AB96B-8EC3-466F-8592-976CB30E79C2@billyreisinger.com>	<c905c3ce05091423037054eba6@mail.gmail.com>	<26127-23125@sneakemail.com>
	<5cc639d1b3e887305dea439a9649489f@jobsforge.com>
	<30346-14369@sneakemail.com>
Message-ID: <b69525de3def90d06bafad9c74e1c935@jobsforge.com>


On Sep 15, 2005, at 5:31 PM, inforequest wrote:

> Yes. That was based on rumor.... so naturally it was a bit off. The
> service did launch as beta but it's here 
> http://instant.search.yahoo.com/
>
Yes, but what did you mean by the end of SERPs. Why?



From lists at zaunere.com  Thu Sep 15 21:01:54 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Thu, 15 Sep 2005 21:01:54 -0400
Subject: [nycphp-talk] AJAX functionality at search.yahoo.com
In-Reply-To: <30346-14369@sneakemail.com>
Message-ID: <0MKp2t-1EG4bx2zWw-0005QT@mrelay.perfora.net>



inforequest wrote on Thursday, September 15, 2005 5:31 PM:
> Matthew Terenzio matt-at-jobsforge.com |nyphp dev/internal group use|
> wrote:
> 
> > On Sep 15, 2005, at 3:48 AM, inforequest wrote:
> > 
> > 
> > 
> > > The thing is, these will be actual
> > > RESULTS. If it's good, doe sit mean no more SERPs??
> > > 
> > > 
> > 
> > Could you explain what you mean? I ought to have a look at it  and
> > maybe it will be clearer. 
> > 
> > 
> Yes. That was based on rumor.... so naturally it was a bit off. The
> service did launch as beta but it's here
> http://instant.search.yahoo.com/ 

I've gone back to Yahoo! and changed my default search engine to it, but I
must admit the above is quite unimpressive :)

H



From lists at zaunere.com  Thu Sep 15 21:04:48 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Thu, 15 Sep 2005 21:04:48 -0400
Subject: [nycphp-talk] zencart help list
In-Reply-To: <4329D9D7.2080508@spidmail.net>
Message-ID: <0MKp2t-1EG4el0ksf-0005n4@mrelay.perfora.net>



Cedric Fontaine wrote on Thursday, September 15, 2005 4:30 PM:
> Hello,
> 
> I have a problem with zencart not redirecting from
> main_page=checkout_process to main_page=checkout_success
> 
> I get a blank page on checkout_process and I don't know why.
> 
> cache/ dir is empty
> no mod_gzip activated
> 
> And I try to find the problem and it seems that Header("Location...)
> is not sent or not interpreted...

Not specific to Zen Cart, but just double check that there's no output
before the header() call.  Any output - even a new line - will of course
cause header() to fail.

H



From papillion at gmail.com  Thu Sep 15 21:31:40 2005
From: papillion at gmail.com (Anthony Papillion)
Date: Thu, 15 Sep 2005 20:31:40 -0500
Subject: [nycphp-talk] Zend Certification
Message-ID: <5458518f0509151831af53b9b@mail.gmail.com>

Hello Everyone,

I'm sure this has already been discussed on the list before but I was
wanting some updated perspective about Zend Certification.

I'm a serious, professional PHP developer who's competing for jobs
with people who "picked up scripting and have done a few sites in
their spare time". I'm wanting to find something that can immediately
differentiate myself and my skill set from those people without the
client or employer having to setup an interview and review sample
code, etc. I think a Zend cert might help do that.

My question is this: how seriously is the certification taken by
employers and clients? Does it really set a developer apart or is it
like the old MCSE cert was a few years ago?

Thanks!
-- 
Anthony Papillion
Phone: (918) 926-0139
ICQ: 96-698-595

CAN ONE VOICE CHANGE THE WORLD?
http://www.one.org


From woodwort at agritec.net  Thu Sep 15 21:57:56 2005
From: woodwort at agritec.net (woodwort)
Date: Thu, 15 Sep 2005 18:57:56 -0700
Subject: [nycphp-talk] cake
In-Reply-To: <p06230922bf4cd7030c4d@[192.168.1.44]>
References: <0MKp2t-1EEnZh055l-0000LJ@mrelay.perfora.net>	<43259BC2.4050604@omnistep.com>	<6.2.3.4.2.20050912120926.0244d060@mail.optonline.net>	<6.2.5.4.2.20050912231541.06c89ca8@rbnsn.com>	<b762526905091307434bd252cb@mail.gmail.com>
	<p06230922bf4cd7030c4d@[192.168.1.44]>
Message-ID: <432A26A4.7060003@agritec.net>

I am not sure if anyone has heard of cake, but its pretty nice and 
growing fast. Inspired by rails.

http://www.cakephp.org


From chendry at gmail.com  Thu Sep 15 23:15:37 2005
From: chendry at gmail.com (Christopher Hendry)
Date: Thu, 15 Sep 2005 23:15:37 -0400
Subject: [nycphp-talk] AJAX functionality at search.yahoo.com
In-Reply-To: <0MKp2t-1EG4bx2zWw-0005QT@mrelay.perfora.net>
References: <30346-14369@sneakemail.com>
	<0MKp2t-1EG4bx2zWw-0005QT@mrelay.perfora.net>
Message-ID: <769e4ce050915201526532c4d@mail.gmail.com>

Seems that Ajax is creating a lot of hype - just as all new 'technologies' 
do.

http://www.nytimes.com/2005/09/12/technology/12ecom.html

What's most impressive about all this is that Javascript seems to finally be 
stabilizing.

C

On 9/15/05, Hans Zaunere <lists at zaunere.com> wrote:
> 
> 
> 
> inforequest wrote on Thursday, September 15, 2005 5:31 PM:
> > Matthew Terenzio matt-at-jobsforge.com <http://matt-at-jobsforge.com>|nyphp dev/internal group use|
> > wrote:
> >
> > > On Sep 15, 2005, at 3:48 AM, inforequest wrote:
> > >
> > >
> > >
> > > > The thing is, these will be actual
> > > > RESULTS. If it's good, doe sit mean no more SERPs??
> > > >
> > > >
> > >
> > > Could you explain what you mean? I ought to have a look at it and
> > > maybe it will be clearer.
> > >
> > >
> > Yes. That was based on rumor.... so naturally it was a bit off. The
> > service did launch as beta but it's here
> > http://instant.search.yahoo.com/
> 
> I've gone back to Yahoo! and changed my default search engine to it, but I
> must admit the above is quite unimpressive :)
> 
> H
> 
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
> 



-- 

"When you do things right, people won't be sure you've done anything at 
all."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050915/c15917f3/attachment.html>

From joeymarshall at ml1.net  Fri Sep 16 00:01:06 2005
From: joeymarshall at ml1.net (Joey Marshall)
Date: Thu, 15 Sep 2005 21:01:06 -0700
Subject: [nycphp-talk] Paypal IPN with php
Message-ID: <1126843266.26501.243046269@webmail.messagingengine.com>

hi,
I'v been coding some software for a company and they want to integrate
paypal's subscriptions with IPN. Iv'e read PayPal's manuel for it and
looked around for examples but I still havn't figured out how to use it.
Basicly, in my sql table for users I have one field named 'active',
which I want turned on or off depending on the state of the users
subscription. And I want new subscriptions that come in to create a new
user.
Is there any code out there that can do that thats easy to integrate? I
think I understand the basic consept of IPN, I just need some code that
can do what I mentioned in the above paragraph.

Any help would be great!
Thanks!

Joey Marshall

-- 
http://www.fastmail.fm - A fast, anti-spam email service.



From 1j0lkq002 at sneakemail.com  Fri Sep 16 00:14:20 2005
From: 1j0lkq002 at sneakemail.com (inforequest)
Date: Thu, 15 Sep 2005 21:14:20 -0700
Subject: [nycphp-talk] AJAX functionality at search.yahoo.com
In-Reply-To: <769e4ce050915201526532c4d@mail.gmail.com>
References: <30346-14369@sneakemail.com>	<0MKp2t-1EG4bx2zWw-0005QT@mrelay.perfora.net>
	<769e4ce050915201526532c4d@mail.gmail.com>
Message-ID: <32586-22956@sneakemail.com>

Christopher Hendry chendry-at-gmail.com |nyphp dev/internal group use| 
wrote:

> Seems that Ajax is creating a lot of hype - just as all new 
> 'technologies' do.
>
> http://www.nytimes.com/2005/09/12/technology/12ecom.html
>
> What's most impressive about all this is that Javascript seems to 
> finally be stabilizing.
>
> C

Or perhaps a commitment to JS is evident. JS is still disabled 
frequently, and the next spyware/virus incident still threatens to shut 
it down as always. I don't see us any further along the DHTML/Flash 
decision tree yet, but people simply can't wait any longer (?) Did you 
notice that the Gap site uses pop-ups that get past FF's pop-up blocker?

I also note an increasing number of sites that break in FF.

In other words, perhaps the risk is just being managed less tightly (for 
lack of any other options).

-=john andrews
http://www.seo-fun.com




From 1j0lkq002 at sneakemail.com  Fri Sep 16 00:28:51 2005
From: 1j0lkq002 at sneakemail.com (inforequest)
Date: Thu, 15 Sep 2005 21:28:51 -0700
Subject: [nycphp-talk] AJAX functionality at search.yahoo.com
In-Reply-To: <b69525de3def90d06bafad9c74e1c935@jobsforge.com>
References: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net>	<DE2AB96B-8EC3-466F-8592-976CB30E79C2@billyreisinger.com>	<c905c3ce05091423037054eba6@mail.gmail.com>	<26127-23125@sneakemail.com>	<5cc639d1b3e887305dea439a9649489f@jobsforge.com>	<30346-14369@sneakemail.com>
	<b69525de3def90d06bafad9c74e1c935@jobsforge.com>
Message-ID: <8242-67455@sneakemail.com>

Matthew Terenzio matt-at-jobsforge.com |nyphp dev/internal group use| 
wrote:

>On Sep 15, 2005, at 5:31 PM, inforequest wrote:
>
>  
>
>Yes, but what did you mean by the end of SERPs. Why?
>  
>

This is called a beta of Yahoo! "instant search". It seems to be an 
equivalent of Google's "I feel lucky" only it claims to give you the TOP 
RESULT (the #1 SERP position's website) instead of whatever "I feel 
lucky" promises. Yahoo! boldly suggests that the #1 result is "what you 
probably want anyway".

Last report I saw, "I feel lucky" was not very popular. I am guessing 
most people don't even know what's behind that button. But if this "just 
show me me the #1 answer so I can say yes/no" becomes popular, two 
things come true immediately:

1. It REALLY pays to win the #1 spot in your category. Practically an 
all-or-nothing game to be in Yahoo! (so to the extent that people 
utilize Instant Search, the SERPs are meaningless. Only #1 matters)
2. Yahoo! eliminates alot of their SERPs "quality issues" by hiding them 
under the carpet. As long as the #1 spot is good, everyone thinks Yahoo! 
works great (even if #2 thru 10 are spam sites).

Since it is widely known that Yahoo! hand edits certain categories to 
"manage" the top spots, they are thus able to eliminate a HUGE part of 
their algorithmic burden via Instant Search. Not much of a search 
engine, eh? More like a directory. And think about the "paid inclusion" 
possibilities... what could they get for the top spot then?

The AJAX stuff is just part of the interface (eliminates the submit and 
allows "suggestion".. a powerful marketing concept).

-=john andrews
http://www.seo-fun.com when Dreamhost isn't down




From hendler at simmons.edu  Fri Sep 16 01:02:09 2005
From: hendler at simmons.edu (Jonathan)
Date: Fri, 16 Sep 2005 01:02:09 -0400
Subject: [nycphp-talk] Zend Certification
In-Reply-To: <5458518f0509151831af53b9b@mail.gmail.com>
References: <5458518f0509151831af53b9b@mail.gmail.com>
Message-ID: <432A51D1.7070305@simmons.edu>

As you might have seen in previous posts, I took the test a few days ago.
I would like several levels of certification - but the existing test was 
well written and does establish a standard baseline.
My bet is that most employers, unless they are a real PHP house, haven't 
heard of Zend certification, or even Zend itself. So it'd be up to you 
to explain the merits of your certification to them. I think it could help.




Anthony Papillion wrote:

>Hello Everyone,
>
>I'm sure this has already been discussed on the list before but I was
>wanting some updated perspective about Zend Certification.
>
>I'm a serious, professional PHP developer who's competing for jobs
>with people who "picked up scripting and have done a few sites in
>their spare time". I'm wanting to find something that can immediately
>differentiate myself and my skill set from those people without the
>client or employer having to setup an interview and review sample
>code, etc. I think a Zend cert might help do that.
>
>My question is this: how seriously is the certification taken by
>employers and clients? Does it really set a developer apart or is it
>like the old MCSE cert was a few years ago?
>
>Thanks!
>  
>



From mikko.rantalainen at peda.net  Fri Sep 16 04:07:36 2005
From: mikko.rantalainen at peda.net (Mikko Rantalainen)
Date: Fri, 16 Sep 2005 11:07:36 +0300
Subject: [nycphp-talk] AJAX functionality at instant.search.yahoo.com
In-Reply-To: <30346-14369@sneakemail.com>
References: <0MKoyl-1EFiaf2Q4x-0005NR@mrelay.perfora.net>	<DE2AB96B-8EC3-466F-8592-976CB30E79C2@billyreisinger.com>	<c905c3ce05091423037054eba6@mail.gmail.com>	<26127-23125@sneakemail.com>	<5cc639d1b3e887305dea439a9649489f@jobsforge.com>
	<30346-14369@sneakemail.com>
Message-ID: <432A7D48.3020500@peda.net>

inforequest wrote:
> Matthew Terenzio matt-at-jobsforge.com |nyphp dev/internal group use| 
> wrote:
> 
> [...]
> service did launch as beta but it's here http://instant.search.yahoo.com/

Am I equally unimpressed as everybody else? I tried to type 10-20 
different things I would try to search for and there was no "instant 
results" for any of them. Even the most common ones like "linux" 
gave me nothing.

Now, compare this to Google suggest beta at 
http://www.google.com/webhp?complete=1 - granted, this doesn't 
provide the *result* but it does give me much more information 
otherwise. For example, if I input "linux" here, google suggest 
(almost instantly) provides a list that looks like this:

linux		222 000 000 results
linux commands	  5 240 000 results
linux download	 21 500 000 results
linux games	 14 900 000 results
...

So instead of not providing me anything, Google suggest tells me 
that "linux" isn't that good a search word because it matches 222 
million documents. However, it also suggests me a collection of 
additional keywords that I might be interested in.

The bottom line is, using AJAX isn't interesting itself, it's what 
kind of information you can provide with it. If yahoo's "first hit 
instantly" method gets popular, it takes about 5 minutes for google 
to implement the same thing. They already have google suggests so 
they just need to add a feature to display the first result in 
addition to list they provide and they have a better service.

-- 
Mikko


From cfontaine at spidmail.net  Fri Sep 16 08:06:48 2005
From: cfontaine at spidmail.net (Cedric Fontaine)
Date: Fri, 16 Sep 2005 08:06:48 -0400
Subject: [nycphp-talk] zencart help list
In-Reply-To: <0MKp2t-1EG4el0ksf-0005n4@mrelay.perfora.net>
References: <0MKp2t-1EG4el0ksf-0005n4@mrelay.perfora.net>
Message-ID: <432AB558.9020108@spidmail.net>

Hans Zaunere wrote:
> 
> Cedric Fontaine wrote on Thursday, September 15, 2005 4:30 PM:
> 
>>Hello,
>>
>>I have a problem with zencart not redirecting from
>>main_page=checkout_process to main_page=checkout_success
>>
>>I get a blank page on checkout_process and I don't know why.

In fact sysadmin set php to display_errors no and no logging. So I set
errors to log and found that you were right there was output before redirect

Cedric



From codebowl at gmail.com  Fri Sep 16 08:59:57 2005
From: codebowl at gmail.com (Joseph Crawford)
Date: Fri, 16 Sep 2005 08:59:57 -0400
Subject: [nycphp-talk] PHP / Word 2003 COM
Message-ID: <8d9a428005091605591e654e81@mail.gmail.com>

Hello Everyone,

I had been trying to figure out a way to use MySQL with Word 2003 as my data 
source for my mail merge. I FINALLY figured out how to do this but in the 
meantime i stumbled accross an article that showed how to use Word's COM 
object to automate the mail merge from within an intranet. I thought this 
may be usefull to others out there so i thought i would pass it to the list. 
Also though i have been trying to find the docs for the COM object so that i 
can figure out what format the header/data source are supposed to be in so 
that i can make use of this information.

I have been to google and MSDN and spent about an hour on each trying to 
find these docs, do they not exist lol. Anyone that can point me in the 
proper direction?

MySQL Mail Merge
http://torque.oncloud8.com/archives/000160.html

PHP & Word Com Integration
http://www.zend.com/tips/tips.php?id=262&single=1

Any help would be appreciated.

-- 
Joseph Crawford Jr.
Codebowl Solutions, Inc.
1-802-671-2021
codebowl at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050916/495f4da8/attachment.html>

From chucksmith at fun-electronics.com  Fri Sep 16 09:52:47 2005
From: chucksmith at fun-electronics.com (chucksmith at fun-electronics.com)
Date: Fri, 16 Sep 2005 09:52:47 -0400
Subject: [nycphp-talk] Paypal IPN with php
In-Reply-To: <mailman.215.1126858060.20628.talk@lists.nyphp.org>
References: <mailman.215.1126858060.20628.talk@lists.nyphp.org>
Message-ID: <1126878767.432ace2f68b18@webmail.fun-electronics.com>

> hi,
> I'v been coding some software for a company and they want to integrate
> paypal's subscriptions with IPN. Iv'e read PayPal's manuel for it and
> looked around for examples but I still havn't figured out how to use it.
> Basicly, in my sql table for users I have one field named 'active',
> which I want turned on or off depending on the state of the users
> subscription. And I want new subscriptions that come in to create a new
> user.
> Is there any code out there that can do that thats easy to integrate? I
> think I understand the basic consept of IPN, I just need some code that
> can do what I mentioned in the above paragraph.

I found Paypal's own IPN code to be very confusing.  I downloaded the following
class and it worked great for me: 
http://www.micahcarrick.com/v2/content/view/1/3/

Good luck,
Chuck

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.



From jay_nyphp at fastmail.fm  Fri Sep 16 10:21:04 2005
From: jay_nyphp at fastmail.fm (Jayesh Sheth)
Date: Fri, 16 Sep 2005 10:21:04 -0400
Subject: [nycphp-talk] Code cleanliness vs. code popularity
Message-ID: <1126880464.15372.243077064@webmail.messagingengine.com>

Hello all,

I was recently reading through the phpBB source code, and had some
observations to shares. In most of the pages / script files I looked
through, there were 1000 - 2000 lines of PHP code, with no functions or
comments. While the code itself is strictly procedural, it is also to
the point, and not indecipherable.

Still, some interesting questions came to me: how can one of the most
popular PHP applications be written in eighties-style procedural code?
Or, to rephrase it: are object-oriented design, (fancy) frameworks not
useful in practice? How many of you have worked with commercial, open
source or in-house frameworks? Have you found these frameworks to be
useful in the long run, or do they just get in the way?

I have long been a fan of PEAR (and other external / third-party)
libraries. I much prefer to save myself work, when I do not have to
reinvent the wheel. Still, in many companies, people prefer to write
everything from scratch, often wrapped up in laborious frameworks. In
your collective experience, what's the best policy for code development?
In other words: bang it out, test it, ship it, receive feedback, fix it,
and then back to the beginning again, or: huge design upfront, OO or
functionized code,UML diagrams, and the 'f' word: a framework.

I personally cannot write strictly procedural code any more, and I
prefer a mix of functionized and OO code. Still, real world applications
- popular real world applications, often totally avoid this approach.
So, what gives?

- Jay


From hendler at simmons.edu  Fri Sep 16 10:35:40 2005
From: hendler at simmons.edu (Jonathan)
Date: Fri, 16 Sep 2005 10:35:40 -0400
Subject: [nycphp-talk] Code cleanliness vs. code popularity
In-Reply-To: <1126880464.15372.243077064@webmail.messagingengine.com>
References: <1126880464.15372.243077064@webmail.messagingengine.com>
Message-ID: <432AD83C.10701@simmons.edu>

I think you are bringing up some good points.
For example, at one of my previous jobs I had written a lot of objects 
with functions that operated on $this keywords. Many of the functions 
"needed" to be accessed in a static way like Class :: function(); and 
$this doesn't cut it. So I had to rewrite them. Instantiating classes in 
PHP used to be slow.

Where OOP can shine is when you think in terms of Business Objects and 
Business Logic. And a lot of non-programmers , who pay your salary, do. 
Flowcharts, forms, datasets all can be mapped easily to components that 
can be serialized and reused. Not only that, it's easier to abstract 
these terms to the point where there is code generation. PHP might have 
some cool procedures, but they are likely difficult to reuse with a 
simple include() statement.
That being said, sometimes OOP is just a way to give a set of functions 
a namespace.

I mix functional and OOP programming depending on context, and I try to 
be careful when I use OOP not to require instatiation on helper or  
utility functions.

Jayesh Sheth wrote:

>Hello all,
>
>I was recently reading through the phpBB source code, and had some
>observations to shares. In most of the pages / script files I looked
>through, there were 1000 - 2000 lines of PHP code, with no functions or
>comments. While the code itself is strictly procedural, it is also to
>the point, and not indecipherable.
>
>Still, some interesting questions came to me: how can one of the most
>popular PHP applications be written in eighties-style procedural code?
>Or, to rephrase it: are object-oriented design, (fancy) frameworks not
>useful in practice? How many of you have worked with commercial, open
>source or in-house frameworks? Have you found these frameworks to be
>useful in the long run, or do they just get in the way?
>
>I have long been a fan of PEAR (and other external / third-party)
>libraries. I much prefer to save myself work, when I do not have to
>reinvent the wheel. Still, in many companies, people prefer to write
>everything from scratch, often wrapped up in laborious frameworks. In
>your collective experience, what's the best policy for code development?
>In other words: bang it out, test it, ship it, receive feedback, fix it,
>and then back to the beginning again, or: huge design upfront, OO or
>functionized code,UML diagrams, and the 'f' word: a framework.
>
>I personally cannot write strictly procedural code any more, and I
>prefer a mix of functionized and OO code. Still, real world applications
>- popular real world applications, often totally avoid this approach.
>So, what gives?
>
>- Jay
>_______________________________________________
>New York PHP Talk Mailing List
>AMP Technology
>Supporting Apache, MySQL and PHP
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.nyphp.org
>  
>



From joshmccormack at travelersdiary.com  Fri Sep 16 10:52:01 2005
From: joshmccormack at travelersdiary.com (joshmccormack at travelersdiary.com)
Date: Fri, 16 Sep 2005 16:52:01 +0200
Subject: [nycphp-talk]
	=?iso-8859-1?q?Code_cleanliness_vs=2E_code_popularit?=
	=?iso-8859-1?q?y?=
Message-ID: <0MKp2t-1EGHbG27Gh-0007hK@mrelay.perfora.net>


I haven't heard too many kind things said of phpBB code  - it frequents
the security warning lists, doesn't it?

I don't understand why someone wouldn't use functions. I don't profess
to be an expert, knowing tons of patterns and in the ins-and-outs of OO
programming. But I used functions anywhere I can - Javascript, PHP,
Java, etc. It just seems so natural.

Here's my funny story that tells you about people not using frameworks.
Before PHP had really risen to what it is, and Perl reigned mighty, I
knew a guy who worked at Cold Spring laboratories, down the hall from
the author of CGI.pm, arguably the Perl framework for web stuff. And he
refused to use modules, he wanted to write everything himself.

I have my own method of evaluating packages, frameworks, etc. which I do
before using any, but I always try to use other's hard work, rather
than reinvent the wheel.

Josh

Jayesh Sheth <jay_nyphp at fastmail.fm> wrote on 09/16/2005, 04:21:04 PM:
> Hello all,
> 
> I was recently reading through the phpBB source code, and had some
> observations to shares. In most of the pages / script files I looked
> through, there were 1000 - 2000 lines of PHP code, with no functions or
> comments. While the code itself is strictly procedural, it is also to
> the point, and not indecipherable.
> 
> Still, some interesting questions came to me: how can one of the most
> popular PHP applications be written in eighties-style procedural code?
> Or, to rephrase it: are object-oriented design, (fancy) frameworks not
> useful in practice? How many of you have worked with commercial, open
> source or in-house frameworks? Have you found these frameworks to be
> useful in the long run, or do they just get in the way?
> 
> I have long been a fan of PEAR (and other external / third-party)
> libraries. I much prefer to save myself work, when I do not have to
> reinvent the wheel. Still, in many companies, people prefer to write
> everything from scratch, often wrapped up in laborious frameworks. In
> your collective experience, what's the best policy for code development?
> In other words: bang it out, test it, ship it, receive feedback, fix it,
> and then back to the beginning again, or: huge design upfront, OO or
> functionized code,UML diagrams, and the 'f' word: a framework.
> 
> I personally cannot write strictly procedural code any more, and I
> prefer a mix of functionized and OO code. Still, real world applications
> - popular real world applications, often totally avoid this approach.
> So, what gives?
> 
> - Jay
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org


From shiflett at php.net  Fri Sep 16 11:30:17 2005
From: shiflett at php.net (Chris Shiflett)
Date: Fri, 16 Sep 2005 11:30:17 -0400
Subject: [nycphp-talk] Zend Certification
In-Reply-To: <5458518f0509151831af53b9b@mail.gmail.com>
References: <5458518f0509151831af53b9b@mail.gmail.com>
Message-ID: <432AE509.2060502@php.net>

Anthony Papillion wrote:
> I'm wanting to find something that can immediately
> differentiate myself and my skill set from those people
> without the client or employer having to setup an
> interview and review sample code, etc. I think a Zend
> cert might help do that.

I think the certification has a lot of value, but keep in mind that it 
is intended to set a baseline for professional PHP developers. It is 
often advertised as identifying PHP experts, but I don't think such a 
label is entirely accurate.

> My question is this: how seriously is the certification
> taken by employers and clients?

I found Zend's recent webcast pretty informative:

http://www.zend.com/webcasts/archive.php

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/


From codebowl at gmail.com  Fri Sep 16 12:38:29 2005
From: codebowl at gmail.com (Joseph Crawford)
Date: Fri, 16 Sep 2005 12:38:29 -0400
Subject: [nycphp-talk] PHP / Word 2003 COM
In-Reply-To: <8d9a428005091605591e654e81@mail.gmail.com>
References: <8d9a428005091605591e654e81@mail.gmail.com>
Message-ID: <8d9a428005091609386e9f3789@mail.gmail.com>

ok so i have figured it out well almost. I am having one issue that i cannot 
seem to figure out how to fix.

When i run my script it goes through the process of creating the mail merge. 
If i refresh to attempt to do it again my script hangs trying to create the 
COM object. I have to manually restart my computer before i can run the 
merge again. Obviously this is not acceptable. Have any of you guys had this 
issue before when using COM objects?

Below is my code for my MailMerge class completed with help from 
http://www.zend.com/tips/tips.php?id=262&single=1


CODE
==========================================
<?php

class MailMerge {
private $mm_data_dir;
private $obj;
private $fieldcnt;
private $rowcnt;

public function __construct($list = null, $data_dir = 'data/mailmerge') {
if(!is_array($list)) throw new Exception('Cannot Create A Mail Merge With An 
Empty List.');
$this->mm_data_dir = BASE_PATH.'/'.$data_dir;
$this->list = $list;
$this->initilize();

$this->CreateHeaderFile();
$this->CreateDataSource();
$this->CreateFile();
return($this->mm_data_dir.'/merge.doc');
}

private function initilize() {
$this->rowcnt = count($this->list);
$fieldcnt = 0;
foreach($this->list as $key => $item) {
if($fieldcnt == 0) $fieldcnt = count($item);
$this->columns[] = $key;
}
$this->fieldcnt = $fieldcnt;
}

private function Close() {
$this->obj->Documents->Close();
}

private function Quit() {
$this->obj->Quit(); 
}

private function Release() {
$this->obj = NULL; 
}

private function CreateHeaderFile() {
$this->obj = new COM("word.application") or die('Couldnt load Word!');
if(!is_object($this->obj)) throw new Exception('Unable to instanciate 
Word!');
$this->obj->Documents->Add();
$this->obj->ActiveDocument->Tables->Add($this->obj->Selection->Range,1,$this->fieldcnt);

foreach($this->list as $item) {
foreach($item as $key => $value) {
$this->obj->Selection->TypeText($key);
$this->obj->Selection->MoveRight();
} 
}
$this->obj->ActiveDocument->SaveAs($this->mm_data_dir.'/header.doc');
$this->Close();
$this->Quit();
$this->Release();
}

private function CreateDataSource() {
$this->obj = new COM("word.application");
if(!is_object($this->obj)) throw new Exception('Unable to instanciate 
Word!');
$this->obj->Documents->Add();
$this->obj->ActiveDocument->Tables->Add($this->obj->Selection->Range,$this->rowcnt,$this->fieldcnt);

foreach($this->list as $key => $item) {
foreach($item as $key => $value) {
$this->obj->Selection->TypeText($value);
$this->obj->Selection->MoveRight();
}
}
$this->obj->ActiveDocument->SaveAs($this->mm_data_dir.'/ds.doc');
$this->Close();
$this->Quit();
$this->Release();
}

private function CreateFile() {
$this->obj = new COM("word.application"); 
if(!is_object($this->obj)) throw new Exception('Unable to instanciate 
Word!');
echo $this->mm_data_dir.'/has_sites.dot';
$this->obj->Documents->Open($this->mm_data_dir.'/has_sites.dot');
$this->obj->ActiveDocument->MailMerge->OpenHeaderSource($this->mm_data_dir.'/header.doc');
$this->obj->ActiveDocument->MailMerge->OpenDataSource($this->mm_data_dir.'/ds.doc');
$this->obj->ActiveDocument->MailMerge->Execute();
$this->obj->ActiveDocument->SaveAs($this->mm_data_dir.'/merge.doc');
$this->Close();
$this->Quit();
$this->Release();
unlink($this->mm_data_dir.'/header.doc');
unlink($this->mm_data_dir.'/ds.doc');
}
}
?>
==========================================

Any help would be appreciated.


-- 
Joseph Crawford Jr.
Codebowl Solutions, Inc.
1-802-671-2021
codebowl at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050916/e4f989a5/attachment.html>

From 1j0lkq002 at sneakemail.com  Fri Sep 16 13:13:58 2005
From: 1j0lkq002 at sneakemail.com (inforequest)
Date: Fri, 16 Sep 2005 10:13:58 -0700
Subject: [nycphp-talk] Code cleanliness vs. code popularity
In-Reply-To: <1126880464.15372.243077064@webmail.messagingengine.com>
References: <1126880464.15372.243077064@webmail.messagingengine.com>
Message-ID: <13544-39748@sneakemail.com>

Jayesh Sheth jay_nyphp-at-fastmail.fm |nyphp dev/internal group use| wrote:

>Hello all,
>
>I was recently reading through the phpBB source code, and had some
>observations to shares. In most of the pages / script files I looked
>through, there were 1000 - 2000 lines of PHP code, with no functions or
>comments. While the code itself is strictly procedural, it is also to
>the point, and not indecipherable.
>
>Still, some interesting questions came to me: how can one of the most
>popular PHP applications be written in eighties-style procedural code?
>Or, to rephrase it: are object-oriented design, (fancy) frameworks not
>useful in practice? How many of you have worked with commercial, open
>source or in-house frameworks? Have you found these frameworks to be
>useful in the long run, or do they just get in the way?
>
>I have long been a fan of PEAR (and other external / third-party)
>libraries. I much prefer to save myself work, when I do not have to
>reinvent the wheel. Still, in many companies, people prefer to write
>everything from scratch, often wrapped up in laborious frameworks. In
>your collective experience, what's the best policy for code development?
>In other words: bang it out, test it, ship it, receive feedback, fix it,
>and then back to the beginning again, or: huge design upfront, OO or
>functionized code,UML diagrams, and the 'f' word: a framework.
>
>I personally cannot write strictly procedural code any more, and I
>prefer a mix of functionized and OO code. Still, real world applications
>- popular real world applications, often totally avoid this approach.
>So, what gives?
>
>- Jay
>_________________
>
Hi jay.

As someone who works with alot of other people's code, I used to always 
want to re-write stuff rather than learn-and-then-hack with it. It seemd 
like the best aproach in the long term, for everyon einvlved (client, 
maintainers, mission).

I was wrong.

There is alot of cognitive overhead to classes and frameworks. If you 
have to step into an app, you need to get to a point where you can 
visualize the framework before you can be sure of the consequences of 
changes, right? That's a big headache for a highly-utilized yet 
infrequently-modified system.

With procedural code, a new coder can step through it rather easily and 
be pretty sure of the consequences of change... the places where scope 
is ill-defined or dependencies exists pop out at you.

I know I am way out on the fringe when it comes to professional PHP 
coding, but I can understand when an older app with a large community 
sticks with an existing procedural code base. It makes alot of sense to 
me, given the circumstances. Of course, every situation will put its own 
weights on those factors.

-=john andrews
http://www.seo-fun.com



From codebowl at gmail.com  Fri Sep 16 13:29:06 2005
From: codebowl at gmail.com (Joseph Crawford)
Date: Fri, 16 Sep 2005 13:29:06 -0400
Subject: [nycphp-talk] PHP / Word 2003 COM
In-Reply-To: <8d9a428005091609386e9f3789@mail.gmail.com>
References: <8d9a428005091605591e654e81@mail.gmail.com>
	<8d9a428005091609386e9f3789@mail.gmail.com>
Message-ID: <8d9a428005091610298aaa589@mail.gmail.com>

Through extensive testing i have found this to work everytime that i run it 
in debug mode through zend studio, however when i run it via the URL it 
crashes Apache and this is the contents of the Error Log

[Fri Sep 16 13:14:18 2005] [notice] Parent: child process exited with status 
3221225477 -- Restarting.
[Fri Sep 16 13:14:19 2005] [notice] Apache/2.0.54 (Win32) PHP/5.0.4 
configured -- resuming normal operations
[Fri Sep 16 13:14:19 2005] [notice] Server built: Apr 16 2005 14:25:31
[Fri Sep 16 13:14:19 2005] [notice] Parent: Created child process 5396
[Fri Sep 16 13:14:20 2005] [notice] Child 5396: Child process is running
[Fri Sep 16 13:14:20 2005] [notice] Child 5396: Acquired the start mutex.
[Fri Sep 16 13:14:20 2005] [notice] Child 5396: Starting 250 worker threads.

Anyone that can help i would very much appreciate it.


-- 
Joseph Crawford Jr.
Codebowl Solutions, Inc.
1-802-671-2021
codebowl at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050916/2c710eae/attachment.html>

From codebowl at gmail.com  Fri Sep 16 13:30:09 2005
From: codebowl at gmail.com (Joseph Crawford)
Date: Fri, 16 Sep 2005 13:30:09 -0400
Subject: [nycphp-talk] PHP / Word 2003 COM
In-Reply-To: <8d9a428005091610298aaa589@mail.gmail.com>
References: <8d9a428005091605591e654e81@mail.gmail.com>
	<8d9a428005091609386e9f3789@mail.gmail.com>
	<8d9a428005091610298aaa589@mail.gmail.com>
Message-ID: <8d9a4280050916103035ccd546@mail.gmail.com>

i should note that i am using basically the same url when testing and 
debugging

test url
http://codebowl.dontexist.net/csaf/mm.php

debug URL
http://codebowl.homelinux.net:443/csaf/mm.php?start_debug=1&debug_port=10000&debug_host=192.168.1.103,192.168.0.1,127.0.0.1&send_sess_end=1&debug_no_cache=1126890649718&debug_stop=1&debug_url=1&debug_new_session=1


-- 
Joseph Crawford Jr.
Codebowl Solutions, Inc.
1-802-671-2021
codebowl at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050916/502d7b68/attachment.html>

From codebowl at gmail.com  Fri Sep 16 14:55:46 2005
From: codebowl at gmail.com (Joseph Crawford)
Date: Fri, 16 Sep 2005 14:55:46 -0400
Subject: [nycphp-talk] Code Optimization Help
Message-ID: <8d9a428005091611552eb8f15e@mail.gmail.com>

Hello Everyone,

I have some code that is using COM to interact with MS Word to create a mail 
merge based on my mysql database, however it is running dreadfully slow 
13.53846 seconds to be exact. This is only running on 34 records, i could 
imagine running this on a few hundred records not to mention thousand. Is 
COM usually this slow? These load times i believe to be accurate as they 
come from zend studio's profiler.
You can see screenshots of the profile @ 
http://codebowl.dontexist.net/bugs/MailMerge/ Below you will see my code, 
anything you guys see that i could do to speed this up quite a bit i would 
appreciate it. It seems the naughty methods are CreateHeader, 
CreateDataSource, CreateDocument.


CODE
=====================================================
<?php

class MailMerge {
private $mm_data_dir;
private $obj;
private $fieldcnt;
private $rowcnt;
private $letter_template;
private $envelope_template;

public function __construct($list = null, $letter = 'Has_Site', $envelope = 
'Envelope', $data_dir = 'data/mailmerge') {
if(!is_array($list)) throw new Exception('Cannot Create A Mail Merge With An 
Empty List.');
$this->mm_data_dir = 'F:/htdocs/csaf/'.$data_dir;
$this->list = $list;
$this->letter_template = $letter;
$this->envelope_template = $envelope;
$this->initilize();

$this->CreateHeaderFile();
$this->CreateDataSource();
$this->CreateDocument($this->letter_template);
$this->CreateDocument($this->envelope_template);
}

public function __destruct() {
unlink($this->mm_data_dir.'/ds.doc');
unlink($this->mm_data_dir.'/header.doc');
}

private function initilize() {
$this->rowcnt = count($this->list);
$this->fieldcnt = count($this->list[0]);
}

private function Close() {
$this->obj->Documents->Close();
}

private function Quit() {
$this->obj->Quit(); 
}

private function Release() {
$this->obj = NULL; 
}

private function CreateHeaderFile() {
$this->obj = new COM("word.application") or die('Couldnt load Word!');
if(!is_object($this->obj)) throw new Exception('Unable to instanciate 
Word!');
$this->obj->Documents->Add();
$this->obj->ActiveDocument->Tables->Add($this->obj->Selection->Range,1,$this->fieldcnt);

for($i = 0; $i <= $this->rowcnt; $i++) {
foreach($this->list[$i] as $key => $value) {
$this->obj->Selection->TypeText($key);
$this->obj->Selection->MoveRight();
} 
}
$this->obj->ActiveDocument->SaveAs($this->mm_data_dir.'/header.doc');
$this->Close();
$this->Quit();
$this->Release();
}

private function CreateDataSource() {
$this->obj = new COM("word.application");
if(!is_object($this->obj)) throw new Exception('Unable to instanciate 
Word!');
$this->obj->Documents->Add();
$this->obj->ActiveDocument->Tables->Add($this->obj->Selection->Range,$this->rowcnt,$this->fieldcnt);

for($i = 0; $i <= $this->rowcnt; $i++) {
foreach($this->list[$i] as $key => $value) {
$this->obj->Selection->TypeText($value);
$this->obj->Selection->MoveRight();
}
}
$this->obj->ActiveDocument->SaveAs($this->mm_data_dir.'/ds.doc');
$this->Close();
$this->Quit();
$this->Release();
}

private function CreateDocument($template) {
$this->obj = new COM("word.application"); 
if(!is_object($this->obj)) throw new Exception('Unable to instanciate 
Word!');
$this->obj->Documents->Open($this->mm_data_dir.'/'.$template.'.dot');
$this->obj->ActiveDocument->MailMerge->OpenHeaderSource($this->mm_data_dir.'/header.doc');
$this->obj->ActiveDocument->MailMerge->OpenDataSource($this->mm_data_dir.'/ds.doc');
$this->obj->ActiveDocument->MailMerge->Execute();
$this->obj->ActiveDocument->SaveAs($this->mm_data_dir.'/'.$template.'.doc');
$this->Close();
$this->Quit();
$this->Release();
}
}
?>

-- 
Joseph Crawford Jr.
Codebowl Solutions, Inc.
1-802-671-2021
codebowl at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050916/fb8738e8/attachment.html>

From ken at secdat.com  Fri Sep 16 19:11:25 2005
From: ken at secdat.com (Kenneth Downs)
Date: Fri, 16 Sep 2005 19:11:25 -0400 (EDT)
Subject: [nycphp-talk] Code cleanliness vs. code popularity
In-Reply-To: <1126880464.15372.243077064@webmail.messagingengine.com>
References: <1126880464.15372.243077064@webmail.messagingengine.com>
Message-ID: <38085.38.117.147.25.1126912285.squirrel@38.117.147.25>


> Hello all,
>
> I was recently reading through the phpBB source code, and had some
> observations to shares. In most of the pages / script files I looked
> through, there were 1000 - 2000 lines of PHP code, with no functions or
> comments. While the code itself is strictly procedural, it is also to
> the point, and not indecipherable.
>
> Still, some interesting questions came to me: how can one of the most
> popular PHP applications be written in eighties-style procedural code?
> Or, to rephrase it: are object-oriented design, (fancy) frameworks not
> useful in practice? How many of you have worked with commercial, open
> source or in-house frameworks? Have you found these frameworks to be
> useful in the long run, or do they just get in the way?

I don't know the developers, but if I had to guess I would say it was a
very small group that has total control of coding practice.  Most of the
"crucial advances" in programming languages of the past 20 years are meant
to make it easier for large groups to work together.  When one or a few
people work very intensely on a project, the only thing that really seems
to matter is that they stay focused and undistracted, in which case they
always know what is going on and can code it in sanskrit if they want.

>
> I have long been a fan of PEAR (and other external / third-party)
> libraries. I much prefer to save myself work, when I do not have to
> reinvent the wheel. Still, in many companies, people prefer to write
> everything from scratch, often wrapped up in laborious frameworks. In
> your collective experience, what's the best policy for code development?
> In other words: bang it out, test it, ship it, receive feedback, fix it,
> and then back to the beginning again, or: huge design upfront, OO or
> functionized code,UML diagrams, and the 'f' word: a framework.

Since opinions you desire, opnions you shall have! :)

First is the min/max principle.  Use the smallest number of technologies
to the largest benefit.  This thinking drives me away from Java and to
PHP.  One simple example is that I can do anything with a PHP Associative
Array, while Java wants me to use all kinds of different objects for
different purposes.  That violates min/max.

The reason big shops avoid 3rd party stuff is they want to keep control
and avoid having their quality rest upon somebody else's work.  This is
very important when the 3rd parties are commercial and tend to go out of
business on you.

I've written 1 LAN framework, one C/S framework, and one 3-tier framework.
 The reason people like to do them is because they are fun, a lot more fun
than coding up the invoice form.  Therein also lies their threat.  They
become complicated and random, and then everyone is working for the
framework instead of the framework working for you.

My biggest beef with frameworks is that they are usually all about
managing labor instead of eliminating it.  Why lay out 20 tasks for me to
do for every table in a database?  If they are so well known, shouldn't
the framework do them automatically for me?  My latest 3-tier framework is
as close to zero-code as I've gotten, and it's where I want to stay.

The two largest groups of unreasonable zealots you will ever meet are the
high priests of the the Two Towers, Object Orientation and Database
Theory.  The only way to work out how to handle what they say is to make
sure you understand it.  The database people see all the world as tables,
and the OO people see everything as an object.  Since everything in the
end does end up in a database, I tend to think the database people are
more correct, but they are doing nothing with this advantage.

>
> I personally cannot write strictly procedural code any more, and I
> prefer a mix of functionized and OO code. Still, real world applications
> - popular real world applications, often totally avoid this approach.
> So, what gives?

Well consider that there is nothing inherent in a web call that requires
OO.  Strictly speaking it is a procedural operation, which might be
written out as:

1) Trying to logout?  Reset their session
2) No session?  Give 'em a cookie
3) Not authenticated?  Send 'em to the login page
4) What do they want?  Any database writes to do? Do 'em
5) What will we show them?  Any database reads? Do 'em
6) Format the HTML, send it out.

There is nothing in that that requires OO.  There are repeating designs
that suggest it, such as an object for every table, but somehow I've
managed to get along just fine without that.  Instead I have a datafile
for every table that describes the table and a common library that reads
the data file to figure out what to do.

Bottom line: experiment with what feels most comfortable to you naturally,
and here and there experiment with things that do not feel so comfortable.
 Sometimes you will be glad you did because you'll learn something new,
and sometimes you'll confirm your hunch that you didn't want to go that
way.



>
> - Jay
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
>


-- 
Kenneth Downs
Secure Data Software
631-379-0010
ken at secdat.com
PO Box 708
East Setauket, NY 11733



From greg.rundlett at gmail.com  Fri Sep 16 20:21:49 2005
From: greg.rundlett at gmail.com (Greg Rundlett)
Date: Fri, 16 Sep 2005 20:21:49 -0400
Subject: [nycphp-talk] Code Optimization Help
In-Reply-To: <8d9a428005091611552eb8f15e@mail.gmail.com>
References: <8d9a428005091611552eb8f15e@mail.gmail.com>
Message-ID: <5e2aaca405091617213a92b124@mail.gmail.com>

On 9/16/05, Joseph Crawford <codebowl at gmail.com> wrote:
> 
> Hello Everyone,
> 
> I have some code that is using COM to interact with MS Word to create a 
> mail merge based on my



sorry i don't have time to review your code, but just wanted to point out 
that http://pastebin.com is the best tool I know of for soliciting feedback 
on code.... you paste your code, and then post the link in your mailinglist, 
forum whatever.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050916/8a8d9a5d/attachment.html>

From codebowl at gmail.com  Fri Sep 16 21:09:14 2005
From: codebowl at gmail.com (Joseph Crawford)
Date: Fri, 16 Sep 2005 21:09:14 -0400
Subject: [nycphp-talk] Code Optimization Help
In-Reply-To: <5e2aaca405091617213a92b124@mail.gmail.com>
References: <8d9a428005091611552eb8f15e@mail.gmail.com>
	<5e2aaca405091617213a92b124@mail.gmail.com>
Message-ID: <8d9a4280050916180931cf7678@mail.gmail.com>

Greg,

I realize this however the code is only stored there for what 3 hours i 
think... then it's gone so i figured i would post to the list

On 9/16/05, Greg Rundlett <greg.rundlett at gmail.com> wrote:
> 
> 
> 
> On 9/16/05, Joseph Crawford <codebowl at gmail.com> wrote:
> > 
> > Hello Everyone,
> > 
> > I have some code that is using COM to interact with MS Word to create a 
> > mail merge based on my
> 
> 
> 
> sorry i don't have time to review your code, but just wanted to point out 
> that http://pastebin.com is the best tool I know of for soliciting 
> feedback on code.... you paste your code, and then post the link in your 
> mailinglist, forum whatever.
> 
> 
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
> 
> 


-- 
Joseph Crawford Jr.
Codebowl Solutions, Inc.
1-802-671-2021
codebowl at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050916/0fc7a103/attachment.html>

From phil at bearingasset.com  Sat Sep 17 09:08:28 2005
From: phil at bearingasset.com (Phil Duffy)
Date: Sat, 17 Sep 2005 09:08:28 -0400
Subject: [nycphp-talk] Code cleanliness vs. code popularity
In-Reply-To: <13544-39748@sneakemail.com>
Message-ID: <20050917130842.BF7E2A86D1@virtu.nyphp.org>



> -----Original Message-----
> From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
> On Behalf Of inforequest
> Sent: Friday, September 16, 2005 12:14 PM
> To: talk at lists.nyphp.org
> Subject: Re: [nycphp-talk] Code cleanliness vs. code popularity

John Andrews wrote:

> There is alot of cognitive overhead to classes and frameworks. If you
> have to step into an app, you need to get to a point where you can
> visualize the framework before you can be sure of the consequences of
> changes, right? That's a big headache for a highly-utilized yet
> infrequently-modified system.
> 
> With procedural code, a new coder can step through it rather easily and
> be pretty sure of the consequences of change... the places where scope
> is ill-defined or dependencies exists pop out at you.

Hi John,

I think you have hit the nail on the head.  I am going through the process
of learning PHP, XHTML and CSS while developing a major application that
uses PEAR libraries and an MVC framework.  I have lots of procedural
programming experience and lots of object-oriented design experience, but
little object-oriented programming experience (a strange combination).  The
learning curve is steep because things are not always done the direct and
obvious way, but in a manner reflecting "best practices".

I believe we are dealing with a tradeoff versus an absolute on this
question.  For a "highly utilized, yet infrequently modified system"
procedural code may be the right strategy.  However, I can't recall too many
situations in my career when I was exposed to that kind of project.  Clients
seem to want to extend successful systems and you reach the tipping point
where procedural code maintenance becomes increasingly problematic.  It is
difficult at that point to reverse field.

It is too soon to determine if my current project will be a success, but
currently I am pursuing a modification of your rule - if there is any doubt
about extending the system, accept the grief of the steeper object-oriented
learning curve and framework and simply accept this as a cost of doing
business.

I hope this perspective helps.  Clearly we are dealing with a subject that
lacks absolutes.

Phil





From lists at zaunere.com  Sat Sep 17 09:25:56 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Sat, 17 Sep 2005 09:25:56 -0400
Subject: [nycphp-talk] FW: [nycbug-talk] Live from NYCBSDCon
Message-ID: <0MKp2t-1EGchX3XVU-0004h7@mrelay.perfora.net>


Hi folks - fun from Columbia at NYCBSDCon '05 - tune in below...


---
Hans Zaunere / President / New York PHP
   www.nyphp.org  /  www.nyphp.com


Hans Zaunere wrote on Saturday, September 17, 2005 9:25 AM:
> Good morning,
> 
> We're live at NYCBSDCon '05 from Columbia University.
> 
> Thanks to all those who could attend, and for those who couldn't make
> it, watch our live stream from the conference:
> 
> http://neuropunks.org/nycbsdcon/
> 
> Hans Zaunere
> 
> 
> _______________________________________________
> % NYC*BUG talk mailing list
> http://lists.nycbug.org/mailman/listinfo/talk
> %Be sure to check out our Jobs and NYCBUG-announce lists
> %We meet the first Wednesday of the month



From danielc at analysisandsolutions.com  Sat Sep 17 18:38:14 2005
From: danielc at analysisandsolutions.com (Daniel Convissor)
Date: Sat, 17 Sep 2005 18:38:14 -0400
Subject: [nycphp-talk] Input Filtering
In-Reply-To: <4b188711050725100013671882@mail.gmail.com>
References: <4b188711050725100013671882@mail.gmail.com>
Message-ID: <20050917223814.GA7988@panix.com>

Hey Jeff:

On Mon, Jul 25, 2005 at 01:00:28PM -0400, Jeff Loiselle wrote:
> Can anyone recommend any good packages for input filtering?

Check out my Form Solution.  Not the end all and be all, but it's pretty 
handy.  http://www.analysisandsolutions.com/software/form/

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409


From jay_nyphp at fastmail.fm  Sat Sep 17 20:42:46 2005
From: jay_nyphp at fastmail.fm (Jayesh Sheth)
Date: Sat, 17 Sep 2005 20:42:46 -0400
Subject: [nycphp-talk] Code cleanliness vs. code popularity
Message-ID: <1127004166.9837.243155620@webmail.messagingengine.com>

Hello all,

thanks for your great, well-thought-out responses!
I agree with John Andrews (I keep wanting to call him Andrew!) that
there is a lot of advance learning required before getting into a
(heavy) framework. I also agree with Kenneth Downs that people often
write frameworks because they are fun to write (and always because they
are needed). 

When you are coding within the confines of a framework, you are expected
to do common things (database calls / business object usage,
configuration reads, template output) through the framework, and not
outside of it. There are some frameworks which have proven themselves to
be immensely useful, and perhaps indisensable to some. One of these, I
have heard, is Struts for Java. Another one for PHP that looks
beautifully perfect is Seagull (it uses PEAR libraries too). I like
Seagull's approach of building on existing PEAR libraries. This is good
for two reasons. The first is that there is no reinventing the wheel
[example: for form generation and validation (PEAR HTML_QuickForm is
used), and for DB access (PEAR DB is used)]. The second is that PEAR is
emerging as the de-facto standard for object oriented PHP code; by
building on PEAR, Seagull is using proven libraries to make a great
framework. I have not used Seagull, but I have looked at its code and
online docs. And there have been a bunch of (positive) articles about in
the PHP Journal / Magazine space recently.

Having thought about it a bit, I think that when phpBB was initially
released, it was coded by a small group of people, and filled an unmet
need. It grew greatly in popularity over time, but its codebase never
changed. It has some funky things in it that would prevent easy changes;
for example, in some scripts, there is a large switch / case block that
constructs SQL for either MySQL or Postgres or other DBs. It would have
been better to use different DB 'drivers' or classes for each DB type,
and pass an instance of those in at runtime (Strategy pattern: identify
the things that change, break them into their own classes, and using
composition pass them into another object at run time).

Then again, these very thoughts (cool design patterns) fill the heads of
people who write frameworks. And what can happen is that the framework
comes before the software that has to be written. What I mean is that
writing a cool framework becomes a goal in itself, rather than
supporting the end-goal of creating a piece of software that serves a
particular purpose well. 

I think it is really hard to write good software, and it is even harder
to write a good / useful framework. Writing a framework often involves
mind-reading, because a good framework will anticipate the needs of
applications that need to be built on top of it, and support it either
inherently or through easy extension.

There are many applications out there that serve a single purpose, and
do what they do very well (from a functionality point of view). They may
not be coded well, but from the user's perspective, they have cool
features, and work well. Examples in the PHP world are phpBB, Tasks Lite
/ Pro and Gallery. These applications may have chunks of HTML stuffed
into random strings, they may not use many functions, but they provide a
host of features that work, they are updated often, and many millions of
people use them.

I think it is unfortunate that many products that are built
on top of obsessed-over, carefully written frameworks fail to meet the
business needs they originally set out to fulfill. Thought: If at the
end of the
day a product does not serve its end users well, then should it be
considered a failure?

Just my 2 words cents :-)

- Jay


From 1j0lkq002 at sneakemail.com  Sat Sep 17 21:07:53 2005
From: 1j0lkq002 at sneakemail.com (inforequest)
Date: Sat, 17 Sep 2005 18:07:53 -0700
Subject: [nycphp-talk] Code cleanliness vs. code popularity
In-Reply-To: <1127004166.9837.243155620@webmail.messagingengine.com>
References: <1127004166.9837.243155620@webmail.messagingengine.com>
Message-ID: <24523-33632@sneakemail.com>

Jayesh Sheth jay_nyphp-at-fastmail.fm |nyphp dev/internal group use| wrote:

>Hello all,
>
>thanks for your great, well-thought-out responses!
>

Jay,

I think forums/bb's are a special case. They are a classic "script" 
situation, with a long history of being "scripted" as opposed to 
"developed". I recall an early version of a popular BB system (not sure 
how it is today) that was "object oriented PHP". Basically *everything* 
was in the constructor, so you instantiated an object and it ran all the 
routines contained within the constructor. Add a member? Create an "add 
a member" object and the constructor would run the functions for adding  
a member.  Make a new post? Instantiate a new_post object, and likewaise 
al lof the necessary routines would be run (in the constructor). It was 
a clean code set and easy to follow, but hardly an OO application.

-=john andrews
http://www.seo-fun.com when dreamhost isn't down


From greg.rundlett at gmail.com  Sat Sep 17 22:17:40 2005
From: greg.rundlett at gmail.com (Greg Rundlett)
Date: Sat, 17 Sep 2005 22:17:40 -0400
Subject: [nycphp-talk] Code cleanliness vs. code popularity
In-Reply-To: <24523-33632@sneakemail.com>
References: <1127004166.9837.243155620@webmail.messagingengine.com>
	<24523-33632@sneakemail.com>
Message-ID: <5e2aaca40509171917249783e@mail.gmail.com>

In my experience, fudforum <http://fudforum.org> is a better forum software 
than phpBB, and the main author is a PEAR member who has many code 
contributions to open source beyond fudforum. And, he (Ilya Alshanetsky) is 
also security conscious so that is a primary requirement of fudforum.

I haven't used it in a while, so I just downloaded it again and checked the 
source to see if it's Object Oriented. I can't be sure because the download 
only includes an installer, which apparently bootstraps the download of the 
software. That seems fine, however one major concern that I have is that 
there is binary content in the installer. I posed a question on the site to 
find out what it is, and how they could license it under the GPL if the 
installer itself is part binary.

Until that is clarified, I guess I would suggest NOT using it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050917/d95861d0/attachment.html>

From dcech at phpwerx.net  Sat Sep 17 23:45:02 2005
From: dcech at phpwerx.net (Dan Cech)
Date: Sat, 17 Sep 2005 23:45:02 -0400
Subject: [nycphp-talk] Code cleanliness vs. code popularity
In-Reply-To: <5e2aaca40509171917249783e@mail.gmail.com>
References: <1127004166.9837.243155620@webmail.messagingengine.com>	<24523-33632@sneakemail.com>
	<5e2aaca40509171917249783e@mail.gmail.com>
Message-ID: <432CE2BE.4050704@phpwerx.net>

Greg Rundlett wrote:
> In my experience, fudforum <http://fudforum.org> is a better forum software 
> than phpBB, and the main author is a PEAR member who has many code 
> contributions to open source beyond fudforum. And, he (Ilya Alshanetsky) is 
> also security conscious so that is a primary requirement of fudforum.

It certainly looks like an interesting alternative to the usual phpBB or 
vBulletin.  I've also heard good things about SimpleMachines Forum.

> I haven't used it in a while, so I just downloaded it again and checked the 
> source to see if it's Object Oriented. I can't be sure because the download 
> only includes an installer, which apparently bootstraps the download of the 
> software. That seems fine, however one major concern that I have is that 
> there is binary content in the installer. I posed a question on the site to 
> find out what it is, and how they could license it under the GPL if the 
> installer itself is part binary.

I was intrigued by your comment so I took a look.  It appears that they 
have essentially created a self-extracting archive with php.  The first 
part of the file contains php code which extracts the gzipped contents 
of the second portion of the file.

The reason for the binary data is twofold.  Firstly the gzipped data is 
binary and secondly they added some extra binary data (apparently an 
extract from linux kernel 2.4.18 to 'trick' windows into thinking it's a 
binary file and avoid line ending conversion.

To my mind it would have been much easier and more transparent to 
separate the gzipped source into its own file rather than lumping it in 
together, but as far as I know once decompressed you have full source so 
it should be fine GPL-wise.

A second approach would have been to base64 encode the gzipped data, 
which would have made it resilient against mangling by ftp clients etc.

> Until that is clarified, I guess I would suggest NOT using it.

I guess that should take care of the issues, I for one would love to 
hear any reports if people do use it for anything.

Dan


From arzala at gmail.com  Sun Sep 18 08:27:15 2005
From: arzala at gmail.com (Anirudh Zala)
Date: Sun, 18 Sep 2005 17:57:15 +0530
Subject: [nycphp-talk] [Re:  Code cleanliness vs. code popularity]
Message-ID: <432D5D23.1000705@gmail.com>

In general I would call OO as Luxury added to normal way of programming.
So it is meant to be only for those groups of programmers who can afford
it (in general, who really can understand it and can use it
effectively). Since there is not any standard convention in programming
that what technology or framework is to be used, programmer can choose
either any 1 of both or both of them. This entirely depends upon the
person who is going to code and the level of his/her experience.

Normally OO framework is used in Product based softwares where 80%-90%
requirements are defined, so developers can start building whatever kind
of framework according to requirements. And in future changes can be
released in terms of patches or service packs. So the real beauty of OO
programming shines only when you have most of requirements defined in
your mind.

But in other case where Service based softwares are developed, where at
a time you would have only half of the total requirements defined. So if
you start coding your software entirely using OO techniques, you might
have problems in future when some requirements differ in significant way
as you can not change frameworks or code easily which  is OO based. So
here you must choose mix environments where you design some code using
OO techniques and some code using procedural techniques like normal
functions. Most of web based softwares are service based only, because
requirements often get changed time by time depending upon users'
requests or by companies policies.

Though procedural code adds repetitive works sometimes, it keeps your
software easy to understand by new programmers, because web based
softwares are developed to keep running for long time and obviously,
team of same programmer can not be there always, as they might have been
moved to other projects or simply their life line is over.

You can see that C++ and Java are mainly OO programming languages, but
could you see their Effective versions that can be used for developing
web based softwares?

So personally, I would use both approaches in effective way while
developing web based softwares.

Thanks

Anirudh Zala

Jayesh Sheth wrote:
> Hello all,
> 
> I was recently reading through the phpBB source code, and had some
> observations to shares. In most of the pages / script files I looked
> through, there were 1000 - 2000 lines of PHP code, with no functions or
> comments. While the code itself is strictly procedural, it is also to
> the point, and not indecipherable.
> 
> Still, some interesting questions came to me: how can one of the most
> popular PHP applications be written in eighties-style procedural code?
> Or, to rephrase it: are object-oriented design, (fancy) frameworks not
> useful in practice? How many of you have worked with commercial, open
> source or in-house frameworks? Have you found these frameworks to be
> useful in the long run, or do they just get in the way?
> 
> I have long been a fan of PEAR (and other external / third-party)
> libraries. I much prefer to save myself work, when I do not have to
> reinvent the wheel. Still, in many companies, people prefer to write
> everything from scratch, often wrapped up in laborious frameworks. In
> your collective experience, what's the best policy for code development?
> In other words: bang it out, test it, ship it, receive feedback, fix it,
> and then back to the beginning again, or: huge design upfront, OO or
> functionized code,UML diagrams, and the 'f' word: a framework.
> 
> I personally cannot write strictly procedural code any more, and I
> prefer a mix of functionized and OO code. Still, real world applications
> - popular real world applications, often totally avoid this approach.
> So, what gives?
> 
> - Jay
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
> 

----------------------------------------------------------------
Anirudh Zala (Production Manager),    ASPL, 814-815, Star Plaza,
Ph: +91 281 245 1894                  Phhulchhab Square,
anirudh at aspl.in                       Rajkot 360001, Gujarat
http://www.aspl.in                    INDIA
----------------------------------------------------------------


-- 
----------------------------------------------------------------
Anirudh Zala (Production Manager),    ASPL, 814-815, Star Plaza,
Ph: +91 281 245 1894                  Phhulchhab Square,
anirudh at aspl.in                       Rajkot 360001, Gujarat
http://www.aspl.in                    INDIA
----------------------------------------------------------------


From matt at jobsforge.com  Sun Sep 18 10:28:22 2005
From: matt at jobsforge.com (Matthew Terenzio)
Date: Sun, 18 Sep 2005 10:28:22 -0400
Subject: [nycphp-talk] [Re:  Code cleanliness vs. code popularity]
In-Reply-To: <432D5D23.1000705@gmail.com>
References: <432D5D23.1000705@gmail.com>
Message-ID: <c142d869796bc0183ab07e48aeb70f68@jobsforge.com>


On Sep 18, 2005, at 8:27 AM, Anirudh Zala wrote:

> So if
> you start coding your software entirely using OO techniques, you might
> have problems in future when some requirements differ in significant 
> way
> as you can not change frameworks or code easily which  is OO based.

Funny, because I tend to think the opposite.
If you know exactly what you want and it won't change, write a bunch of 
scripts.

If things might change down the line, encapsulate it. Then you can 
modify things without breaking it.

That said,  it's certainly possible to make large, flexible 
applications using procedural programming techniques, but thinking 
about the issues which OO was made to solve.



From jeff.siegel at nyphp.org  Sun Sep 18 13:28:23 2005
From: jeff.siegel at nyphp.org (Jeff Siegel)
Date: Sun, 18 Sep 2005 13:28:23 -0400
Subject: [nycphp-talk] NEW PHundamentals: HTTP Response Splitting
Message-ID: <0IN0009PRWJCXT00@mta6.srv.hcvlny.cv.net>

A new PHundamentals article - "HTTP Response Splitting" - has been posted.
This article addresses the issue of the botnet that attempts to inject email
headers in a PHP form.

As always, comments and suggestions are welcome. Please be sure the subject
line of your comment/suggestion refers to this article by name.

See:  <http://www.nyphp.org/phundamentals/http_response_splitting.php>
http://www.nyphp.org/phundamentals/http_response_splitting.php

Jeff Siegel

NYPHP PHundamentals

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050918/f048043d/attachment.html>

From danielc at analysisandsolutions.com  Sun Sep 18 13:44:16 2005
From: danielc at analysisandsolutions.com (Daniel Convissor)
Date: Sun, 18 Sep 2005 13:44:16 -0400
Subject: [nycphp-talk] NEW PHundamentals: HTTP Response Splitting
In-Reply-To: <0IN0009PRWJCXT00@mta6.srv.hcvlny.cv.net>
References: <0IN0009PRWJCXT00@mta6.srv.hcvlny.cv.net>
Message-ID: <20050918174416.GA22271@panix.com>

Hi Jeff (and everyone):

On Sun, Sep 18, 2005 at 01:28:23PM -0400, Jeff Siegel wrote:
> A new PHundamentals article - "HTTP Response Splitting" - has been posted.
...
> http://www.nyphp.org/phundamentals/http_response_splitting.php

The posting seems to have ignored much of the discussion regarding this 
topic we had on the list.  In addition, the article is misnamed.  The 
attack at hand isn't response splitting, which has to do with injecting 
items into header() calls.

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409


From jsiegel1 at optonline.net  Sun Sep 18 14:02:30 2005
From: jsiegel1 at optonline.net (Jeff Siegel)
Date: Sun, 18 Sep 2005 14:02:30 -0400
Subject: [nycphp-talk] NEW PHundamentals: HTTP Response Splitting
In-Reply-To: <20050918174416.GA22271@panix.com>
Message-ID: <0IN000GGNY46VR00@mta8.srv.hcvlny.cv.net>

Re: Title - Point well taken.

If there are some specifics of the discussion that you feel should be
included, do not hesitate to point out those particular items.

Remember (and this is really addressed to all), the Phundamentals are not
meant to recapitulate an entire discussion but to distill the essential
points. So if there are any essential points that are missing, please let it
be known so changes can be made. 

Jeff



-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Daniel Convissor
Sent: Sunday, September 18, 2005 12:44 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] NEW PHundamentals: HTTP Response Splitting

Hi Jeff (and everyone):

On Sun, Sep 18, 2005 at 01:28:23PM -0400, Jeff Siegel wrote:
> A new PHundamentals article - "HTTP Response Splitting" - has been posted.
...
> http://www.nyphp.org/phundamentals/http_response_splitting.php

The posting seems to have ignored much of the discussion regarding this 
topic we had on the list.  In addition, the article is misnamed.  The 
attack at hand isn't response splitting, which has to do with injecting 
items into header() calls.

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409
_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org



From jeff.siegel at nyphp.org  Sun Sep 18 14:02:30 2005
From: jeff.siegel at nyphp.org (Jeff Siegel)
Date: Sun, 18 Sep 2005 14:02:30 -0400
Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection
Message-ID: <0IN000J45Y47A310@mta7.srv.hcvlny.cv.net>

The title of the most recent PHundamentals article has been changed to
"Email Header Injection." 
 
See: http://www.nyphp.org/phundamentals/email_header_injection.php
 
Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050918/52c57e8a/attachment.html>

From danielc at analysisandsolutions.com  Sun Sep 18 14:13:59 2005
From: danielc at analysisandsolutions.com (Daniel Convissor)
Date: Sun, 18 Sep 2005 14:13:59 -0400
Subject: [nycphp-talk] NEW PHundamentals: HTTP Response Splitting
In-Reply-To: <0IN000GGNY46VR00@mta8.srv.hcvlny.cv.net>
References: <20050918174416.GA22271@panix.com>
	<0IN000GGNY46VR00@mta8.srv.hcvlny.cv.net>
Message-ID: <20050918181359.GB10855@panix.com>

Hey Jeff:

On Sun, Sep 18, 2005 at 02:02:30PM -0400, Jeff Siegel wrote:
> 
> Remember (and this is really addressed to all), the Phundamentals are not
> meant to recapitulate an entire discussion but to distill the essential
> points.

That makes total sense.  Thing is, the article posted looks like the text 
initially proposed in the thread, which includes several problems which I 
and other people raised.  The issues are too numerous to raise here again.

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409


From shiflett at php.net  Sun Sep 18 15:30:04 2005
From: shiflett at php.net (Chris Shiflett)
Date: Sun, 18 Sep 2005 15:30:04 -0400
Subject: [nycphp-talk] NEW PHundamentals: HTTP Response Splitting
In-Reply-To: <20050918174416.GA22271@panix.com>
References: <0IN0009PRWJCXT00@mta6.srv.hcvlny.cv.net>
	<20050918174416.GA22271@panix.com>
Message-ID: <432DC03C.1080705@php.net>

Daniel Convissor wrote:
> In addition, the article is misnamed. The attack at hand
> isn't response splitting, which has to do with injecting 
> items into header() calls.

Yeah, I thought I had missed a cool thread or something at first. :-) 
For what it's worth, I think HTTP Response Splitting might make an 
interesting phundamental. I guess there's not tons to say, but maybe 
some people on this list have some creative ideas about what can be 
done. I usually just demonstrate setting a cookie or something (and show 
how this can be used for session fixation - e.g., set PHPSESSID).

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/


From shiflett at php.net  Sun Sep 18 15:34:50 2005
From: shiflett at php.net (Chris Shiflett)
Date: Sun, 18 Sep 2005 15:34:50 -0400
Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection
In-Reply-To: <0IN000J45Y47A310@mta7.srv.hcvlny.cv.net>
References: <0IN000J45Y47A310@mta7.srv.hcvlny.cv.net>
Message-ID: <432DC15A.8080409@php.net>

Jeff Siegel wrote:
> See: http://www.nyphp.org/phundamentals/email_header_injection.php

I recommend that we change:

"All PHP scripts which send email based on input data are vulnerable."

to:

"All PHP scripts which send email based on tainted data are vulnerable."

or:

"All PHP scripts which send email based on input data might be vulnerable."

It might be better to reword it some other way, but it's false as written.

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/


From shiflett at php.net  Sun Sep 18 15:45:14 2005
From: shiflett at php.net (Chris Shiflett)
Date: Sun, 18 Sep 2005 15:45:14 -0400
Subject: [nycphp-talk] [Re:  Code cleanliness vs. code popularity]
In-Reply-To: <c142d869796bc0183ab07e48aeb70f68@jobsforge.com>
References: <432D5D23.1000705@gmail.com>
	<c142d869796bc0183ab07e48aeb70f68@jobsforge.com>
Message-ID: <432DC3CA.8070006@php.net>

Matthew Terenzio wrote:
> If you know exactly what you want and it won't change, write a
> bunch of scripts.
> 
> If things might change down the line, encapsulate it. Then you
> can modify things without breaking it.
> 
> That said, it's certainly possible to make large, flexible 
> applications using procedural programming techniques, but
> thinking about the issues which OO was made to solve.

I tend to write more procedural code than OO, and I agree with this 
statement. Of course you can do just as much with a procedural paradigm, 
but it's good to sometimes step back and make sure you're not solving 
too many of the same problems that OO solves. I can usually tell that 
I've chosen the wrong approach when one of two things happens:

1. I'm writing procedural code, and I'm cobbling together some of the 
same features that are inherent in an OO approach.

2. I'm writing OO code, but I'm not really using any of its features.

That's my personal sanity check. :-)

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/


From shiflett at php.net  Sun Sep 18 16:42:16 2005
From: shiflett at php.net (Chris Shiflett)
Date: Sun, 18 Sep 2005 16:42:16 -0400
Subject: [nycphp-talk] Code cleanliness vs. code popularity
In-Reply-To: <5e2aaca40509171917249783e@mail.gmail.com>
References: <1127004166.9837.243155620@webmail.messagingengine.com>
	<24523-33632@sneakemail.com> <5e2aaca40509171917249783e@mail.gmail.com>
Message-ID: <432DD128.8030102@php.net>

Greg Rundlett wrote:
> In my experience, fudforum <http://fudforum.org> is a better forum
> software than phpBB, and the main author is a PEAR member who has many
> code contributions to open source beyond fudforum.

He's more than a PEAR contributor. Ilia is a primary contributor to PHP 
itself, and he has even served as release manager (for 4.3, I think).

FUDforum is faster, more reliable, and more secure than phpBB, but it 
has a poor interface (in my opinion). I think there is currently a big 
push to improve this aspect.

> That seems fine, however one major concern that I have is that there
> is binary content in the installer. I posed a question on the site to
> find out what it is, and how they could license it under the GPL if
> the installer itself is part binary.

It sounds like you misunderstand the GPL.

> Until that is clarified, I guess I would suggest NOT using it.

In that case, you might want to stop using PHP. You can get binary 
distributions of it.

(Binary is not a bad word.)

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/


From mail at billyreisinger.com  Sun Sep 18 19:56:41 2005
From: mail at billyreisinger.com (Billy Reisinger)
Date: Sun, 18 Sep 2005 19:56:41 -0400
Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection
In-Reply-To: <0IN000J45Y47A310@mta7.srv.hcvlny.cv.net>
References: <0IN000J45Y47A310@mta7.srv.hcvlny.cv.net>
Message-ID: <E4708F6B-86C2-496A-A595-5CCA96016955@billyreisinger.com>

My 2 cents about the content of the post are:

"Grep through your mail server logs for the list of emails, using a  
command something like this:
grep -f exploitaddresses.lst /var/log/maillog
(or wherever your mail log is located)

If any are found, cross reference the time of the mailing to times in  
your web server logs to help determine the exploitable script. Modify  
any such scripts to properly filter input fields, with a function  
something like this:"

I think you should encourage everyone to fix their script, not just  
those who find the email addresses you listed in their logs. As  
someone succinctly pointed out in the thread about this injection  
attack, the email addresses being used for this attack are most  
likely subject to change.  People should be safeguarding their  
scripts as a precautionary measure, not as a band-aid after the fact.

Cheers!

Billy Reisinger




On Sep 18, 2005, at 2:02 PM, Jeff Siegel wrote:

> The title of the most recent PHundamentals article has been changed  
> to "Email Header Injection."
>
> See: http://www.nyphp.org/phundamentals/email_header_injection.php
>
> Jeff
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050918/41ee00df/attachment.html>

From jay_nyphp at fastmail.fm  Sun Sep 18 21:57:47 2005
From: jay_nyphp at fastmail.fm (Jayesh Sheth)
Date: Sun, 18 Sep 2005 21:57:47 -0400
Subject: [nycphp-talk] Code cleanliness vs. code popularity
Message-ID: <1127095067.7691.243200368@webmail.messagingengine.com>

Hi everyone,

Here is a brief follow-up on PHP forums.

I followed my curiousity today, and checked out the code of a handful of
open source PHP bulletin board systems.
The ones I checked out were: Bee Hive Forum, MiniBB, W-Agora, smf,
l-forum, and Phorum. 

I had used MiniBB in the past, and it works well from a user's point of
view, and its templates were easy to customize. I had never really
looked into its code, which is not commented at all, and frankly almost
obfuscated. (Sorry that came out so harsh!) It's a neat piece of
software to use, but heaven help me if I were asked to customize it at
the code (as opposed to template) level.

I briefly looked through the other packages, and none of them, except
Phorum, seemed to have been coded well. I checked out Phorum on a lark,
having remembered it from years ago, when Mozillazine used its version 2
software. (Mozillazine has since moved to phpBB.) Phorum is now up to
version 5. A lot / most of its code seems to be functionized, or uses
functions. I like that! I tried out a demo at opensourcecms.com, and it
seems okay. Best of all, http://forums.mysql.com/ seems to use it. There
are some glaring user interface boo-boos: for example, in order to
register as a new user, you have to click on 'log in'. This error could
be easily fixed. They even have a developer blog, and their site has a
tidy and easy-to-navigate feel to it. Check it out:
http://www.phorum.org .

I have been wanting to check out Fudforum too. I wish someone would make
a zip or tar.gz file of its uncompressed sources so I could check it
out.

Best regards,

- Jay
- Jay


From jsiegel1 at optonline.net  Mon Sep 19 06:47:40 2005
From: jsiegel1 at optonline.net (Jeff Siegel)
Date: Mon, 19 Sep 2005 06:47:40 -0400
Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection
In-Reply-To: <E4708F6B-86C2-496A-A595-5CCA96016955@billyreisinger.com>
Message-ID: <0IN200CYV8NHMOE0@mta10.srv.hcvlny.cv.net>

Point well taken and I believe it was Dan C. who noted the need to not rely
on that list of "known" email addresses.
 
Jeff
 
 

  _____  

From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Billy Reisinger
Sent: Sunday, September 18, 2005 6:57 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Phundamentals Title Change: Email Header Injection


My 2 cents about the content of the post are: 

"Grep through your mail server logs for the list of emails, using a command
something like this: 
grep -f exploitaddresses.lst /var/log/maillog 

(or wherever your mail log is located)

If any are found, cross reference the time of the mailing to times in your
web server logs to help determine the exploitable script. Modify any such
scripts to properly filter input fields, with a function something like
this:"

I think you should encourage everyone to fix their script, not just those
who find the email addresses you listed in their logs. As someone succinctly
pointed out in the thread about this injection attack, the email addresses
being used for this attack are most likely subject to change. People should
be safeguarding their scripts as a precautionary measure, not as a band-aid
after the fact. 

Cheers!

Billy Reisinger






On Sep 18, 2005, at 2:02 PM, Jeff Siegel wrote:


The title of the most recent PHundamentals article has been changed to
"Email Header Injection." 

See: http://www.nyphp.org/phundamentals/email_header_injection.php

Jeff
_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050919/7c9469e2/attachment.html>

From dcech at phpwerx.net  Mon Sep 19 08:24:27 2005
From: dcech at phpwerx.net (Dan Cech)
Date: Mon, 19 Sep 2005 08:24:27 -0400
Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection
In-Reply-To: <0IN200CYV8NHMOE0@mta10.srv.hcvlny.cv.net>
References: <0IN200CYV8NHMOE0@mta10.srv.hcvlny.cv.net>
Message-ID: <432EADFB.8040907@phpwerx.net>

Jeff & list,

I believe I managed to avoid weighing into the various debates raging 
back and forth in the thread.

The idea of checking for particular email addresses in the mail logs 
does seem pretty naive, especially as they are such a throwaway item 
these days.

Personally I'm of the opinion that these kinds of forms should require 
inputs that are supposed to be email addresses to look like email 
addresses.  Not only will that remove the possibility of this exploit, 
it will also cut down (ever so slightly) on malformed addresses being 
sent through to the mail subsystem.  Good user feedback for 'invalid' 
addresses should allow anyone using the form to 'correct' them, so I see 
little point in blindly accepting something that isn't obviously an 
email address.

The other common vulnerable field seems to be the Subject, though I see 
very little reason not to restrict that (or any other non-address) field 
to something like /^([-a-z0-9!@#$%^&*()_\[\]{}\\|;:'",.<>\/?+= ]+)$/i, 
especially considering the fact that non-ascii characters are usually 
frowned upon in email headers.

Also, correct me if I'm wrong but I believe the %0A encoding is purely 
used in the request string, once it gets into PHP it will just see 
either \n or \r, the literal string %0A does not pose any risk to emails 
as a string itself.

Dan

Jeff Siegel wrote:
> Point well taken and I believe it was Dan C. who noted the need to not rely
> on that list of "known" email addresses.
>  
> Jeff


From greg.rundlett at gmail.com  Mon Sep 19 11:14:00 2005
From: greg.rundlett at gmail.com (Greg Rundlett)
Date: Mon, 19 Sep 2005 11:14:00 -0400
Subject: [nycphp-talk] Code cleanliness vs. code popularity
In-Reply-To: <432DD128.8030102@php.net>
References: <1127004166.9837.243155620@webmail.messagingengine.com>
	<24523-33632@sneakemail.com>
	<5e2aaca40509171917249783e@mail.gmail.com> <432DD128.8030102@php.net>
Message-ID: <5e2aaca405091908149a71a71@mail.gmail.com>

On 9/18/05, Chris Shiflett <shiflett at php.net> wrote:
> 
> Greg Rundlett wrote:
> > In my experience, fudforum <http://fudforum.org> is a better forum
> > software than phpBB, and the main author is a PEAR member who has many
> > code contributions to open source beyond fudforum.
> 
> He's more than a PEAR contributor. Ilia is a primary contributor to PHP
> itself, and he has even served as release manager (for 4.3, I think).

FUDforum is faster, more reliable, and more secure than phpBB, but it
> has a poor interface (in my opinion). I think there is currently a big
> push to improve this aspect.
> 
> > That seems fine, however one major concern that I have is that there
> > is binary content in the installer. I posed a question on the site to
> > find out what it is, and how they could license it under the GPL if
> > the installer itself is part binary.
> 
> It sounds like you misunderstand the GPL.


Huh? One of the primary objectives of the GPL is to allow for distribution 
of human-readable source code, not binary. I have no misunderstanding in 
that regard.

> Until that is clarified, I guess I would suggest NOT using it.
> 
> In that case, you might want to stop using PHP. You can get binary
> distributions of it.


b/c I do not know how to read binary code, I do not wish to put a personal 
recommendation on something which is binary. My comments have nothing to do 
with what formats PHP itself is available in. On top of that, PHP is not 
exactly relevant to a discussion of what the GPL means since it's not even 
licensed under the GPL. PHP developers switched from a GPL license to the 
PHP license way back around version 3. I was trying to be helpful with a 
recommendation of a good forum software, and somehow you twisted the thread 
completely off-topic.

Ilya responded to my question about the binary contents here: 
http://fudforum.org/forum/index.php?t=msg&goto=27661&#msg_27661 There are 
about 9.3M of sources, which I don't have time to review, but they are all 
available. And, I repeat: In my experience, FUDForum is better software than 
phpBB. I was intending to give credit to Ilya originally because I've been 
impressed with his work since the days of the template flame-wars on the 
PEAR-DEV list.

(Binary is not a bad word.)


Well, at least this comment is accurate and non-inflamatory. Just last week 
I was telling people that they should come hear your presentation at the 
next BostonPHP meeting. I hope your presentation accurate and 
non-inflamatory too.

Chris
> 
> --
> Chris Shiflett
> Brain Bulb, The PHP Consultancy
> http://brainbulb.com/
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050919/a36723ed/attachment.html>

From dwclifton at gmail.com  Mon Sep 19 14:16:21 2005
From: dwclifton at gmail.com (Douglas Clifton)
Date: Mon, 19 Sep 2005 14:16:21 -0400
Subject: [nycphp-talk] Code cleanliness vs. code popularity
In-Reply-To: <mailman.0.1127145602.9692.talk@lists.nyphp.org>
References: <mailman.0.1127145602.9692.talk@lists.nyphp.org>
Message-ID: <7d6cdcb050919111628773565@mail.gmail.com>

If you're interested  in PHP-based forum packages,
I'd recommend taking a look at Vanilla:

http://www.getvanilla.com/

I use it on my own site, and compared to the others
I've reviewed...well, just have a look yourself. ~d

-- 
Douglas Clifton
dwclifton at gmail.com
http://loadaveragezero.com/
http://loadaveragezero.com/app/s9y/
http://loadaveragezero.com/drx/rss/recent

> ---------- Forwarded message ----------
> From: "Jayesh Sheth" <jay_nyphp at fastmail.fm>
> To: "NYPHP Talk" <talk at lists.nyphp.org>
> Date: Sun, 18 Sep 2005 21:57:47 -0400
> Subject: [nycphp-talk] Code cleanliness vs. code popularity
> Hi everyone,
> 
> Here is a brief follow-up on PHP forums.
> 
> I followed my curiousity today, and checked out the code of a handful of
> open source PHP bulletin board systems.
> The ones I checked out were: Bee Hive Forum, MiniBB, W-Agora, smf,
> l-forum, and Phorum.
> 
> I had used MiniBB in the past, and it works well from a user's point of
> view, and its templates were easy to customize. I had never really
> looked into its code, which is not commented at all, and frankly almost
> obfuscated. (Sorry that came out so harsh!) It's a neat piece of
> software to use, but heaven help me if I were asked to customize it at
> the code (as opposed to template) level.
> 
> I briefly looked through the other packages, and none of them, except
> Phorum, seemed to have been coded well. I checked out Phorum on a lark,
> having remembered it from years ago, when Mozillazine used its version 2
> software. (Mozillazine has since moved to phpBB.) Phorum is now up to
> version 5. A lot / most of its code seems to be functionized, or uses
> functions. I like that! I tried out a demo at opensourcecms.com, and it
> seems okay. Best of all, http://forums.mysql.com/ seems to use it. There
> are some glaring user interface boo-boos: for example, in order to
> register as a new user, you have to click on 'log in'. This error could
> be easily fixed. They even have a developer blog, and their site has a
> tidy and easy-to-navigate feel to it. Check it out:
> http://www.phorum.org .
> 
> I have been wanting to check out Fudforum too. I wish someone would make
> a zip or tar.gz file of its uncompressed sources so I could check it
> out.


From chsnyder at gmail.com  Mon Sep 19 15:09:42 2005
From: chsnyder at gmail.com (csnyder)
Date: Mon, 19 Sep 2005 15:09:42 -0400
Subject: [nycphp-talk] Code cleanliness vs. code popularity
In-Reply-To: <7d6cdcb050919111628773565@mail.gmail.com>
References: <mailman.0.1127145602.9692.talk@lists.nyphp.org>
	<7d6cdcb050919111628773565@mail.gmail.com>
Message-ID: <b76252690509191209621217f7@mail.gmail.com>

On 9/19/05, Douglas Clifton <dwclifton at gmail.com> wrote:
> If you're interested  in PHP-based forum packages,
> I'd recommend taking a look at Vanilla:
> 
> http://www.getvanilla.com/
> 
> I use it on my own site, and compared to the others
> I've reviewed...well, just have a look yourself. ~d
> 


That's -really- nice. And reams of developer docs, too.

It's still a little geek-centric, but the developers have obviously
made a conscious effort to create forum software for a wider audience.

-- 
Chris Snyder
http://chxo.com/


From shiflett at php.net  Mon Sep 19 16:50:00 2005
From: shiflett at php.net (Chris Shiflett)
Date: Mon, 19 Sep 2005 16:50:00 -0400
Subject: [nycphp-talk] Code cleanliness vs. code popularity
In-Reply-To: <5e2aaca405091908149a71a71@mail.gmail.com>
References: <1127004166.9837.243155620@webmail.messagingengine.com>
	<24523-33632@sneakemail.com> <5e2aaca40509171917249783e@mail.gmail.com>
	<432DD128.8030102@php.net> <5e2aaca405091908149a71a71@mail.gmail.com>
Message-ID: <432F2478.1050103@php.net>

Greg Rundlett wrote:
 > Huh? One of the primary objectives of the GPL is to allow for
 > distribution of human-readable source code, not binary. I have
 > no misunderstanding in that regard.

The GPL attempts to guarantee code's freedom (as opposed to BSD licenses 
which place more emphasis on users' freedom). There is nothing that 
requires software licensed under the GPL to only be distributed as 
source code. Compiled binaries have always been fine as long as the 
source is made available somehow (and that's only a requirement if you 
distribute it - you can keep your modifications private if you don't). 
In fact, most people use binaries to install Linux.

 > b/c I do not know how to read binary code, I do not wish to put
 > a personal recommendation on something which is binary.

That's understandable, but I don't see why you felt the need to 
specifically recommend against using it.

In this case, it's like recommending that people not use Apache because 
apache_1.3.33.tar.gz is binary.

 > Just last week I was telling people that they should come hear
 > your presentation at the next BostonPHP meeting. I hope your
 > presentation accurate and non-inflamatory too.

Well, it's live (not email), so I think it's harder to misinterpret my 
intentions. However, if you feel that correcting your misunderstanding 
about the GPL is inflammatory, then you might find something offensive 
in the talk.

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/


From odragola at gmail.com  Mon Sep 19 17:09:09 2005
From: odragola at gmail.com (Odra Gola)
Date: Mon, 19 Sep 2005 17:09:09 -0400
Subject: [nycphp-talk] highest key of an array
Message-ID: <ea8ff1d205091914094a65fd9e@mail.gmail.com>

is there a quick way to return the numerically highest key of an array? (not 
the element)
I wrote my own function to do it, but I'm affraid I'm reinventing the wheel

Thanks,
Olaf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050919/8b9c870b/attachment.html>

From adam at trachtenberg.com  Mon Sep 19 17:19:48 2005
From: adam at trachtenberg.com (Adam Maccabee Trachtenberg)
Date: Mon, 19 Sep 2005 17:19:48 -0400 (EDT)
Subject: [nycphp-talk] highest key of an array
In-Reply-To: <ea8ff1d205091914094a65fd9e@mail.gmail.com>
References: <ea8ff1d205091914094a65fd9e@mail.gmail.com>
Message-ID: <Pine.LNX.4.58.0509191717410.21277@miranda.org>

On Mon, 19 Sep 2005, Odra Gola wrote:

> is there a quick way to return the numerically highest key of an array? (not
> the element)
> I wrote my own function to do it, but I'm affraid I'm reinventing the wheel

Assuming you add keys in a sensible order:

end($array);
$highest = key($array);

Otherwise, you should sort the array first.

-adam

-- 
adam at trachtenberg.com | http://www.trachtenberg.com
author of o'reilly's "upgrading to php 5" and "php cookbook"
avoid the holiday rush, buy your copies today!


From kenrbnsn at rbnsn.com  Mon Sep 19 17:21:37 2005
From: kenrbnsn at rbnsn.com (Ken Robinson)
Date: Mon, 19 Sep 2005 17:21:37 -0400
Subject: [nycphp-talk] highest key of an array
In-Reply-To: <ea8ff1d205091914094a65fd9e@mail.gmail.com>
References: <ea8ff1d205091914094a65fd9e@mail.gmail.com>
Message-ID: <6.2.5.4.2.20050919171923.0aaec7e0@rbnsn.com>

At 05:09 PM 9/19/2005, Odra Gola wrote:
>is there a quick way to return the numerically highest key of an 
>array? (not the element)
>I wrote my own function to do it, but I'm affraid I'm reinventing the wheel

Use:
$a = array();
max(array_keys($a))

Example:
<?
$a = array();
for ($i=0;$i<rand(10,30);$i++)
$a[rand(30,100)] = rand(100,550);
echo 'Max key=' . max(array_keys($a)) . ' value=' .
$a[max(array_keys($a))];
echo '<br>Min key=' . min(array_keys($a)) . ' value=' .
$a[min(array_keys($a))];
echo '<br>Max value=' . max($a);
echo '<br>Min value=' . min($a);
?>
Ken 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050919/121e5b59/attachment.html>

From papillion at gmail.com  Mon Sep 19 17:23:09 2005
From: papillion at gmail.com (Anthony Papillion II)
Date: Mon, 19 Sep 2005 16:23:09 -0500
Subject: [nycphp-talk] highest key of an array
In-Reply-To: <Pine.LNX.4.58.0509191717410.21277@miranda.org>
References: <ea8ff1d205091914094a65fd9e@mail.gmail.com>
	<Pine.LNX.4.58.0509191717410.21277@miranda.org>
Message-ID: <432F2C3D.5070201@gmail.com>

 > Assuming you add keys in

That triggers a question in my mind: what do you mean "sensible order"? 
When I assign a new array element doesn't PHP automatically assign the 
next highest value as it's number? Or is this something that I need to 
manage manually?

Thanks,
Anthony




From kenrbnsn at rbnsn.com  Mon Sep 19 17:34:12 2005
From: kenrbnsn at rbnsn.com (Ken Robinson)
Date: Mon, 19 Sep 2005 17:34:12 -0400
Subject: [nycphp-talk] highest key of an array
In-Reply-To: <432F2C3D.5070201@gmail.com>
References: <ea8ff1d205091914094a65fd9e@mail.gmail.com>
	<Pine.LNX.4.58.0509191717410.21277@miranda.org>
	<432F2C3D.5070201@gmail.com>
Message-ID: <6.2.5.4.2.20050919173006.0a974f28@rbnsn.com>

At 05:23 PM 9/19/2005, Anthony Papillion II wrote:
>  > Assuming you add keys in
>
>That triggers a question in my mind: what do you mean "sensible order"?
>When I assign a new array element doesn't PHP automatically assign the
>next highest value as it's number? Or is this something that I need to
>manage manually?

If you're just adding to an array using the '$arr[]' construct, then 
PHP will increment the index for you. But, let's say you're getting 
information out of a database and each record is uniquely identified 
by an ID number in the database. If you use that ID number as the 
index when you store the record in the array, the order you store 
them may not be in ascending  order according to that number.

Ken 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050919/a585ba72/attachment.html>

From papillion at gmail.com  Mon Sep 19 17:37:11 2005
From: papillion at gmail.com (Anthony Papillion II)
Date: Mon, 19 Sep 2005 16:37:11 -0500
Subject: [nycphp-talk] highest key of an array
In-Reply-To: <6.2.5.4.2.20050919173006.0a974f28@rbnsn.com>
References: <ea8ff1d205091914094a65fd9e@mail.gmail.com>	<Pine.LNX.4.58.0509191717410.21277@miranda.org>	<432F2C3D.5070201@gmail.com>
	<6.2.5.4.2.20050919173006.0a974f28@rbnsn.com>
Message-ID: <432F2F87.3060300@gmail.com>


> If you're just adding to an array using the '$arr[]' construct, then 
> PHP will increment the index for you. But, let's say you're getting 
> information out of a database and each record is uniquely identified 
> by an ID number in the database. If you use that ID number as the 
> index when you store the record in the array, the order you store them 
> may not be in ascending  order according to that number.


Makes sense. I'd not considered that. Thanks!

Anthony


From rahmin at insite-out.com  Mon Sep 19 17:45:08 2005
From: rahmin at insite-out.com (Rahmin Pavlovic)
Date: Mon, 19 Sep 2005 17:45:08 -0400
Subject: [nycphp-talk] highest key of an array
Message-ID: <200509192145.j8JLj8lS015225@webmail2.megamailservers.com>

An embedded and charset-unspecified text was scrubbed...
Name: not available
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050919/bedd369a/attachment.ksh>

From thegeek at thecolorgeek.com  Mon Sep 19 18:06:05 2005
From: thegeek at thecolorgeek.com (thegeek)
Date: Mon, 19 Sep 2005 18:06:05 -0400
Subject: [nycphp-talk] Multiple query from out put
In-Reply-To: <432F2F87.3060300@gmail.com>
References: <ea8ff1d205091914094a65fd9e@mail.gmail.com>
	<Pine.LNX.4.58.0509191717410.21277@miranda.org>
	<432F2C3D.5070201@gmail.com>
	<6.2.5.4.2.20050919173006.0a974f28@rbnsn.com>
	<432F2F87.3060300@gmail.com>
Message-ID: <20050919220605.9219.qmail@mail1.fluidhosting.com>

Well need some guidance here.  Pretty much a beginer.  Here is what I would 
like to do.  I have a script that searches a table within the database and 
returns multiple enteries(zip codes) in that table.  I would then like to 
take each one of zipcodes and search another table for store addresses.  So 
am unsure how to format to make multiple queries from the original zipcode 
search.  I can query the database (MySQL) with a single zip and get what I 
need but don't know where to start when to repeat that with a multiple 
query.  This is a volunteer non profit project with no money and no real 
deadline so a good opportunity for me to learn. 

Paul G


From kenrbnsn at rbnsn.com  Mon Sep 19 18:14:33 2005
From: kenrbnsn at rbnsn.com (Ken Robinson)
Date: Mon, 19 Sep 2005 18:14:33 -0400
Subject: [nycphp-talk] highest key of an array
In-Reply-To: <200509192145.j8JLj8lS015225@webmail2.megamailservers.com>
References: <200509192145.j8JLj8lS015225@webmail2.megamailservers.com>
Message-ID: <6.2.5.4.2.20050919181306.0ac6b4f0@rbnsn.com>

At 05:45 PM 9/19/2005, Rahmin Pavlovic wrote:
>You can also use array() to create quasi-objects, stuff like:
>
>$user=array('firstname'=>'Bob', 'username'=>'bobbo23');
>
>$subscription=array();
>$subscription['basic']=array();
>$subscription['basic']['price']=50;

Yes, but the original question dealt with numerical indices, not 
associative ones.

Ken 



From gatzby3jr at gmail.com  Mon Sep 19 18:24:52 2005
From: gatzby3jr at gmail.com (Brian O'Connor)
Date: Mon, 19 Sep 2005 18:24:52 -0400
Subject: [nycphp-talk] Multiple query from out put
In-Reply-To: <20050919220605.9219.qmail@mail1.fluidhosting.com>
References: <ea8ff1d205091914094a65fd9e@mail.gmail.com>
	<Pine.LNX.4.58.0509191717410.21277@miranda.org>
	<432F2C3D.5070201@gmail.com>
	<6.2.5.4.2.20050919173006.0a974f28@rbnsn.com>
	<432F2F87.3060300@gmail.com>
	<20050919220605.9219.qmail@mail1.fluidhosting.com>
Message-ID: <29da5d1505091915244ca3c28d@mail.gmail.com>

If you're storing the address of the stores in seperate rows, where zip code 
is its own row you could do something like this:

$query = "SELECT stores.* FROM stores, zip_codes WHERE stores.zip = 
zip_codes.value AND zip_codes.value = '$zip_code';";

Obviously you need to replace the tables / structure with what you have in 
place.

Also, you could just do "SELECT * FROM stores WHERE zip_code = 
'$zipcode'';";

Also, if you're wondering about the multiple queries with the return from 
the first query that you mentioned, you can use a while loop when assigning 
the value of mysql_fetch_array, which then handles all the results from the 
database with the code included within the while loop.

Hope that helps (and sorry if I was confusing).

On 9/19/05, thegeek <thegeek at thecolorgeek.com> wrote:
> 
> Well need some guidance here. Pretty much a beginer. Here is what I would
> like to do. I have a script that searches a table within the database and
> returns multiple enteries(zip codes) in that table. I would then like to
> take each one of zipcodes and search another table for store addresses. So
> am unsure how to format to make multiple queries from the original zipcode
> search. I can query the database (MySQL) with a single zip and get what I
> need but don't know where to start when to repeat that with a multiple
> query. This is a volunteer non profit project with no money and no real
> deadline so a good opportunity for me to learn.
> 
> Paul G
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
> 



-- 
Brian O'Connor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050919/5e037508/attachment.html>

From 1j0lkq002 at sneakemail.com  Mon Sep 19 18:38:20 2005
From: 1j0lkq002 at sneakemail.com (inforequest)
Date: Mon, 19 Sep 2005 15:38:20 -0700
Subject: [nycphp-talk] Multiple query from out put
In-Reply-To: <20050919220605.9219.qmail@mail1.fluidhosting.com>
References: <ea8ff1d205091914094a65fd9e@mail.gmail.com>	<Pine.LNX.4.58.0509191717410.21277@miranda.org>	<432F2C3D.5070201@gmail.com>	<6.2.5.4.2.20050919173006.0a974f28@rbnsn.com>	<432F2F87.3060300@gmail.com>
	<20050919220605.9219.qmail@mail1.fluidhosting.com>
Message-ID: <32520-69739@sneakemail.com>

thegeek thegeek-at-thecolorgeek.com |nyphp dev/internal group use| wrote:

>Well need some guidance here.  Pretty much a beginer.  Here is what I would 
>like to do.  I have a script that searches a table within the database and 
>returns multiple enteries(zip codes) in that table.  I would then like to 
>take each one of zipcodes and search another table for store addresses.  So 
>am unsure how to format to make multiple queries from the original zipcode 
>search.  I can query the database (MySQL) with a single zip and get what I 
>need but don't know where to start when to repeat that with a multiple 
>query.  This is a volunteer non profit project with no money and no real 
>deadline so a good opportunity for me to learn. 
>
>Paul G
>  
>
You might be best served if you post a code snippet for you project. Put 
on your hard hat first, and send it to the list and I am *quite sure* 
you will get some expert opinions.

-=john andrews
http://www.seo-fun.com



From rolson at aeso.org  Tue Sep 20 01:18:26 2005
From: rolson at aeso.org (Rick Olson)
Date: Mon, 19 Sep 2005 22:18:26 -0700
Subject: [nycphp-talk] PHPWiki
In-Reply-To: <43242A1B.4050102@magpie.com>
References: <43242A1B.4050102@magpie.com>
Message-ID: <432F9BA2.3000904@aeso.org>

I've had really poor experiences with PHPWiki in the past.  We 
"upgraded" to MediaWiki, and it has been fantastic :)  So, I'd have to 
second everyone else who recommended MediaWiki.

It takes me all of 97 seconds to install MediaWiki, perhaps another perk :)

-Rick

Steve Manes wrote:

>Pardon me if this has been discussed before.  I assume it has been but I 
>was probably outside having a smoke.  What's the general opinion about 
>PHPWiki here?
>
>I'm tasked with setting up a Wiki for a large open source PHP dev 
>project for Childrens Health Fund.  I've set up and used TikiWiki before 
>and it worked fine.  It's just a bit of overkill for our needs and it 
>would sorta politically undercut my argument for PHP as the base 
>language for this project if I installed a perl wiki.
>
>I downloaded v1.3 last night and got it running okay albeit with tons of 
>PHP warnings, mostly about using invalid types in referenced arg 
>variables.  I googled relentlessly on this problem only to find myself 
>directed to other PHPWiki sites, most of which suffered from the same 
>affliction.
>
>I know how to turn off those warnings and know (pretty much) what's 
>causing them.  But I'd rather not mask the symptoms.  Also, PHP warnings 
>indicate potentially problematic code.
>
>Is v1.3 not ready for prime time or does it require PHP5?  The 
>installation docs are somewhat byzantine.  Is there a better PHP 
>alternative to PHPWiki?
>_______________________________________________
>New York PHP Talk Mailing List
>AMP Technology
>Supporting Apache, MySQL and PHP
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.nyphp.org
>
>
>  
>



From mlynch1 at gmail.com  Tue Sep 20 04:56:06 2005
From: mlynch1 at gmail.com (Mike Lynch)
Date: Tue, 20 Sep 2005 09:56:06 +0100
Subject: [nycphp-talk] Quickform: Select All Checkboxes
Message-ID: <9db292e9050920015625609d83@mail.gmail.com>

Hi All
 I am using QF to display a variable number of checkboxes (depends on what 
is returned from a database query).
The number of "checkable" items can be quite large.
 What is the best way to implement a "Select All" and "Deselect All" option 
for these checkboxes in Quickform ?
 Thanks
 Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050920/c86779e2/attachment.html>

From danielc at analysisandsolutions.com  Tue Sep 20 09:56:27 2005
From: danielc at analysisandsolutions.com (Daniel Convissor)
Date: Tue, 20 Sep 2005 09:56:27 -0400
Subject: [nycphp-talk] Multiple query from out put
In-Reply-To: <20050919220605.9219.qmail@mail1.fluidhosting.com>
References: <ea8ff1d205091914094a65fd9e@mail.gmail.com>
	<Pine.LNX.4.58.0509191717410.21277@miranda.org>
	<432F2C3D.5070201@gmail.com>
	<6.2.5.4.2.20050919173006.0a974f28@rbnsn.com>
	<432F2F87.3060300@gmail.com>
	<20050919220605.9219.qmail@mail1.fluidhosting.com>
Message-ID: <20050920135626.GA15324@panix.com>

Hi Paul:

On Mon, Sep 19, 2005 at 06:06:05PM -0400, thegeek wrote:

> I have a script that searches a table within the database and 
> returns multiple enteries(zip codes) in that table.  I would then like to 
> take each one of zipcodes and search another table for store addresses.

-- create some sample talbes and data
create table zips (zip char(1), cond char(1));
insert into zips values ('1', 'a');
insert into zips values ('2', 'a');
insert into zips values ('3', 'b');

create table stores (zip char(1), name char(1));
insert into stores values ('1', 'm');
insert into stores values ('2', 'n');
insert into stores values ('2', 'o');
insert into stores values ('3', 'p');

-- show how to make a nice joining query
select zips.zip, name
from zips
join stores using (zip)
where cond = 'a';

-- remove these sample tables
drop table zips;
drop table stores;

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409


From enunez at tiaa-cref.org  Tue Sep 20 10:16:39 2005
From: enunez at tiaa-cref.org (Nunez, Eddy)
Date: Tue, 20 Sep 2005 10:16:39 -0400
Subject: [nycphp-talk] Quickform: Select All Checkboxes
Message-ID: <33DFD788D44E404CB92B90176DEC061A6DAFAA@NYCPDMSXMB06.ad.tiaa-cref.org>

Only way to implement a "(de)select all" at the browser level is with Javascript.
Maybe QF has something built-in ... likely not since it's called "Quick" forms.
As far as I know, PHP can't help you there.
 
-Eddy

-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]On Behalf Of Mike Lynch
Sent: Tuesday, September 20, 2005 4:56 AM
To: talk at lists.nyphp.org
Subject: [nycphp-talk] Quickform: Select All Checkboxes


Hi All
 
I am using QF to display a variable number of checkboxes (depends on what is returned from a database query).
The number of "checkable" items can be quite large.
 
What is the best way to implement a "Select All" and "Deselect All" option for these checkboxes in Quickform ?
 
Thanks
 
Mike



**************************************************************
This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is protected by law.  If you are not the intended recipient, please contact sender immediately by reply e-mail and destroy all copies.  You are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
TIAA-CREF
**************************************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050920/1eaa3b5d/attachment.html>

From thegeek at thecolorgeek.com  Tue Sep 20 10:23:50 2005
From: thegeek at thecolorgeek.com (thegeek)
Date: Tue, 20 Sep 2005 10:23:50 -0400
Subject: [nycphp-talk] Multiple query from out put
In-Reply-To: <20050920135626.GA15324@panix.com>
References: <ea8ff1d205091914094a65fd9e@mail.gmail.com>
	<Pine.LNX.4.58.0509191717410.21277@miranda.org>
	<432F2C3D.5070201@gmail.com>
	<6.2.5.4.2.20050919173006.0a974f28@rbnsn.com>
	<432F2F87.3060300@gmail.com>
	<20050919220605.9219.qmail@mail1.fluidhosting.com>
	<20050920135626.GA15324@panix.com>
Message-ID: <20050920142350.55936.qmail@mail1.fluidhosting.com>

Thanks for the help already I am still trying to wrap my monkey brain aroung 
the concept of arrays but have found some good defenitions through google.  
I am using this code I have found at phpclasses by: Micah Carrick have asked 
for snippets hope this is not to much 

function get_zips_in_range($zip, $range) {

     // returns an array of the zip codes within $range of $zip. Returns
     // an array with keys as zip codes and values as the distance from
     // the zipcode defined in $zip.



     $details = $this->get_zip_point($zip);  // base zip details
     if (empty($details)) return;

     // This portion of the routine  calculates the minimum and maximum lat 
and
     // long within a given range.  This portion of the code was written
     // by Jeff Bearer (http://www.jeffbearer.com). This significanly 
decreases
     // the time it takes to execute a query.  My demo took 3.2 seconds in
     // v1.0.0 and now executes in 0.4 seconds!  Greate job Jeff!

     // Find Max - Min Lat / Long for Radius and zero point and query
     // only zips in that range.
     $lat_range = $range/69.172;
     $lon_range = abs($range/(cos($details[0]) * 69.172));
     $min_lat = number_format($details[0] - $lat_range, "4", ".", "");
     $max_lat = number_format($details[0] + $lat_range, "4", ".", "");
     $min_lon = number_format($details[1] - $lon_range, "4", ".", "");
     $max_lon = number_format($details[1] + $lon_range, "4", ".", ""); 

     $return = array();    // declared here for scope 

     $sql = "SELECT zip_code, lattitude, longitude FROM zip_code
             WHERE zip_code <> $zip AND lattitude BETWEEN '$min_lat' AND
            '$max_lat' AND longitude BETWEEN '$min_lon' AND '$max_lon'";

     $r = mysql_query($sql);

     if (!$r) {    // sql error

        $this->last_error = mysql_error();
        return;

     } else {

        while ($row = mysql_fetch_array($r)) {

           // loop through all 40 some thousand zip codes and determine 
whether
           // or not it's within the specified range.

           $dist = 
$this->calculate_mileage($details[0],$row[1],$details[1],$row[2]);
           if ($this->units == 'k') $dist = $dist * 1.609344;
           if ($dist <= $range) {
              $return[str_pad($row[0], 5, "0", STR_PAD_LEFT)] = round($dist, 
$this->decimals);
           }
        }
        mysql_free_result($r);
     } 

 

Currently I am able to post to the script with a zip and a range and echo 
the results(a range of zips). Thanks for the pointers already. 

Enjoy the Day


From ps at pswebcode.com  Tue Sep 20 10:45:05 2005
From: ps at pswebcode.com (Peter Sawczynec)
Date: Tue, 20 Sep 2005 10:45:05 -0400
Subject: [nycphp-talk] Multiple query from out put
In-Reply-To: <20050919220605.9219.qmail@mail1.fluidhosting.com>
Message-ID: <000f01c5bdf1$e7177790$6400a8c0@PeterStorm>

Have you tried this type of structure:

SELECT s.address AS 'Store Address' FROM stores AS s
WHERE s.zip IN 
(SELECT z.zip FROM zipcodes AS z WHERE z.city = 'New York') 

In this example, first the subquery returns multiple zips for NYC. Then
the primary query returns all store data from the stores table with any
of the zips that came back from the zips in the NYC subquery.

Additionally, this example uses column and table aliases which are
important to use when searching for data across several tables. Aliases
are necessary because there may be columns with the same field name in
both tables and only aliases ensure you actually get the output from the
fields you really wanted.

Plus, when you use the fields with PHP later, the fields have clear
meanings to you and you can even use the original aliased field names as
human readable row header titles in your resultant HTML.

Warmest regards,
 
Peter Sawczynec
Technology Director
PSWebcode
www.pswebcode.com
ps at pswebcode.com
718.796.1951






-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of thegeek
Sent: Monday, September 19, 2005 6:06 PM
To: NYPHP Talk
Subject: [nycphp-talk] Multiple query from out put


Well need some guidance here.  Pretty much a beginer.  Here is what I
would 
like to do.  I have a script that searches a table within the database
and 
returns multiple enteries(zip codes) in that table.  I would then like
to 
take each one of zipcodes and search another table for store addresses.
So 
am unsure how to format to make multiple queries from the original
zipcode 
search.  I can query the database (MySQL) with a single zip and get what
I 
need but don't know where to start when to repeat that with a multiple 
query.  This is a volunteer non profit project with no money and no real

deadline so a good opportunity for me to learn. 

Paul G
_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org




From ray at lances.net  Tue Sep 20 10:58:22 2005
From: ray at lances.net (Ray Lance)
Date: Tue, 20 Sep 2005 10:58:22 -0400
Subject: [nycphp-talk] Quickform: Select All Checkboxes
References: <33DFD788D44E404CB92B90176DEC061A6DAFAA@NYCPDMSXMB06.ad.tiaa-cref.org>
Message-ID: <199901c5bdf3$bf5ca6b0$0600000a@rayl>

It might help to notice that php runs on the webserver, whereas the select-all function would be wanted locally, on the browser client.
  ----- Original Message ----- 
  From: Nunez, Eddy 
  To: NYPHP Talk 
  Sent: Tuesday, September 20, 2005 10:16 AM
  Subject: [work] Re: [nycphp-talk] Quickform: Select All Checkboxes


  Only way to implement a "(de)select all" at the browser level is with Javascript.
  Maybe QF has something built-in ... likely not since it's called "Quick" forms.
  As far as I know, PHP can't help you there.

  -Eddy
    -----Original Message-----
    From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]On Behalf Of Mike Lynch
    Sent: Tuesday, September 20, 2005 4:56 AM
    To: talk at lists.nyphp.org
    Subject: [nycphp-talk] Quickform: Select All Checkboxes


    Hi All

    I am using QF to display a variable number of checkboxes (depends on what is returned from a database query).
    The number of "checkable" items can be quite large.

    What is the best way to implement a "Select All" and "Deselect All" option for these checkboxes in Quickform ?

    Thanks

    Mike


  **************************************************************
  This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, please contact sender immediately by reply e-mail and destroy all copies. You are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
  TIAA-CREF
  **************************************************************



------------------------------------------------------------------------------


  _______________________________________________
  New York PHP Talk Mailing List
  AMP Technology
  Supporting Apache, MySQL and PHP
  http://lists.nyphp.org/mailman/listinfo/talk
  http://www.nyphp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050920/63be8739/attachment.html>

From codebowl at gmail.com  Tue Sep 20 11:40:06 2005
From: codebowl at gmail.com (Joseph Crawford)
Date: Tue, 20 Sep 2005 11:40:06 -0400
Subject: [nycphp-talk] [PHP] Fwd: Code Optimization Help
In-Reply-To: <433017F6.4060700@iamjochem.com>
References: <8d9a428005091611552eb8f15e@mail.gmail.com>
	<8d9a428005092004161d1c65c8@mail.gmail.com>
	<432FFB10.20402@iamjochem.com>
	<8d9a4280050920052844161039@mail.gmail.com>
	<43300D85.50703@iamjochem.com>
	<8d9a42800509200633395d27b9@mail.gmail.com>
	<433017F6.4060700@iamjochem.com>
Message-ID: <8d9a428005092008401861677@mail.gmail.com>

Ok so finally i implemented my logging class into my mail merge object, this 
is the results

Word -> Application Opened.
Word -> Document1 Document Added.
Word -> header.doc Document Saved.
Word -> header.doc Document Closed.
Word -> Document2 Document Added.
Word -> ds.doc Document Saved.
Word -> ds.doc Document Closed.
Word -> Has_Site.dot Document Opened.
Word -> Opening Header Source.
F:/htdocs/csaf/data/mailmerge/header.doc File Exists

I threw in a file_exists check to make sure the script was actually seeing 
the file and had the correct path. It does. This is very strange because 
nothing happens, it's like i hit a never ending loop but php never times out 
either. I have my php timeout to 30 seconds yet this has run in excess of 5 
minutes now.

The expected results for the log would look something like this
Word -> Application Opened.
Word -> Document1 Document Added.
Word -> header.doc Document Saved.
Word -> header.doc Document Closed.
Word -> Document2 Document Added.
Word -> ds.doc Document Saved.
Word -> ds.doc Document Closed.
Word -> Has_Site.dot Document Opened.
Word -> Opening Header Source.
F:/htdocs/csaf/data/mailmerge/header.doc File Exists
Word -> Opening Data Source.
Word -> Executing Merge.
Word -> Has_Site.doc Document Saved.
Word -> Has_Site.doc Document Closed.
Word -> Merge Successful.


The code that is hanging is below

private function CreateDocument($template) {
$this->obj->Documents->Open($this->mm_data_dir.'/'.$template.'.dot');
Logger::log('Word -> '.$this->obj->ActiveDocument->Name().' Document 
Opened.');

Logger::log('Word -> Opening Header Source.');
if(file_exists($this->mm_data_dir.'/header.doc')) {
Logger::log($this->mm_data_dir.'/header.doc File Exists');
}
// THIS IS THE LINE THAT HANGS, THE FILE EXISTS AND IS POPULATED THE FILE 
CONTENTS CAN BE SEEN HERE
http://codebowl.dontexist.net/bugs/MailMerge/3.jpg$this->obj->ActiveDocument->MailMerge->OpenHeaderSource($this->mm_data_dir.'/header.doc');
Logger::log('Word -> Opening Data Source.');
$this->obj->ActiveDocument->MailMerge->OpenDataSource($this->mm_data_dir.'/ds.doc');
Logger::log('Word -> Executing Merge.');
$this->obj->ActiveDocument->MailMerge->Execute();
$this->obj->ActiveDocument->SaveAs($this->mm_data_dir.'/'.$template.'.doc');
Logger::log('Word -> '.$this->obj->ActiveDocument->Name().' Saved.'); 
Logger::log('Word -> '.$this->obj->ActiveDocument->Name().' Document 
Closed.');
$this->obj->ActiveDocument->Close();
}

Any help with this would be appreciated. I am not sure why it is choosing to 
hang today ;( I have been going through the COM object API documentation and 
i dont see myself doing anything i shouldnt be doing.

You can see the full code here
http://pastebin.com/369068
that is if it hasnt expired, if so send a reply and i will post again ;)
Thanks in advance

-- 
Joseph Crawford Jr.
Codebowl Solutions, Inc.
1-802-671-2021
codebowl at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050920/a72d7fe0/attachment.html>

From tom at supertom.com  Tue Sep 20 11:43:16 2005
From: tom at supertom.com (Tom Melendez)
Date: Tue, 20 Sep 2005 11:43:16 -0400
Subject: [nycphp-talk] Quickform: Select All Checkboxes
In-Reply-To: <199901c5bdf3$bf5ca6b0$0600000a@rayl>
References: <33DFD788D44E404CB92B90176DEC061A6DAFAA@NYCPDMSXMB06.ad.tiaa-cref.org>
	<199901c5bdf3$bf5ca6b0$0600000a@rayl>
Message-ID: <43302E14.9040703@supertom.com>

Hi Mike,

It's possible that you are asking the question of, "Does QF have 
something built-in for this, or is there a 'Quickform' way of doing 
this?".  I use QF and am not familar with their way of handling this.  
Instead, I just output a general javascript function that takes the name 
of the checkbox array and whether to turn them all on or off.  Since the 
function is general, it doesn't care if there is one, or 1000.  The html 
for the selectall/clearall links and the extra javascript I just add to 
the form with the 'html' element:

$form->addElement('html',$myhtmlstring);

If anyone knows a better way, I'm all ears.

Thanks,

Tom

http://www.liphp.org

Ray Lance wrote:

> It might help to notice that php runs on the webserver, whereas the 
> select-all function would be wanted locally, on the browser client.
>
>     ----- Original Message -----
>     *From:* Nunez, Eddy <mailto:enunez at tiaa-cref.org>
>     *To:* NYPHP Talk <mailto:talk at lists.nyphp.org>
>     *Sent:* Tuesday, September 20, 2005 10:16 AM
>     *Subject:* [work] Re: [nycphp-talk] Quickform: Select All Checkboxes
>
>     Only way to implement a "(de)select all" at the browser level is
>     with Javascript.
>     Maybe QF has something built-in ... likely not since it's called
>     "Quick" forms.
>     As far as I know, PHP can't help you there.
>      
>     -Eddy
>
>         -----Original Message-----
>         *From:* talk-bounces at lists.nyphp.org
>         <mailto:talk-bounces at lists.nyphp.org>
>         [mailto:talk-bounces at lists.nyphp.org]*On Behalf Of *Mike Lynch
>         *Sent:* Tuesday, September 20, 2005 4:56 AM
>         *To:* talk at lists.nyphp.org
>         *Subject:* [nycphp-talk] Quickform: Select All Checkboxes
>
>         Hi All
>          
>         I am using QF to display a variable number of checkboxes
>         (depends on what is returned from a database query).
>         The number of "checkable" items can be quite large.
>          
>         What is the best way to implement a "Select All" and "Deselect
>         All" option for these checkboxes in Quickform ?
>          
>         Thanks
>          
>         Mike
>
>     |
>
>     **************************************************************
>     This message, including any attachments, contains confidential
>     information intended for a specific individual and purpose, and is
>     protected by law. If you are not the intended recipient, please
>     contact sender immediately by reply e-mail and destroy all copies.
>     You are hereby notified that any disclosure, copying, or
>     distribution of this message, or the taking of any action based on
>     it, is strictly prohibited.
>     TIAA-CREF
>     **************************************************************
>     |
>
>     ------------------------------------------------------------------------
>     _______________________________________________
>     New York PHP Talk Mailing List
>     AMP Technology
>     Supporting Apache, MySQL and PHP
>     http://lists.nyphp.org/mailman/listinfo/talk
>     http://www.nyphp.org
>
>------------------------------------------------------------------------
>
>_______________________________________________
>New York PHP Talk Mailing List
>AMP Technology
>Supporting Apache, MySQL and PHP
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.nyphp.org
>  
>



From dmintz at davidmintz.org  Tue Sep 20 11:59:11 2005
From: dmintz at davidmintz.org (David Mintz)
Date: Tue, 20 Sep 2005 11:59:11 -0400 (EDT)
Subject: [nycphp-talk] Quickform: Select All Checkboxes
In-Reply-To: <43302E14.9040703@supertom.com>
References: <33DFD788D44E404CB92B90176DEC061A6DAFAA@NYCPDMSXMB06.ad.tiaa-cref.org>
	<199901c5bdf3$bf5ca6b0$0600000a@rayl> <43302E14.9040703@supertom.com>
Message-ID: <Pine.BSF.4.58.0509201152010.13915@emra.pair.com>

On Tue, 20 Sep 2005, Tom Melendez wrote:

> Hi Mike,
>
> It's possible that you are asking the question of, "Does QF have
> something built-in for this, or is there a 'Quickform' way of doing
> this?".  I use QF and am not familar with their way of handling this.
> Instead, I just output a general javascript function that takes the name
> of the checkbox array and whether to turn them all on or off.  Since the
> function is general, it doesn't care if there is one, or 1000.  The html
> for the selectall/clearall links and the extra javascript I just add to
> the form with the 'html' element:
>
> $form->addElement('html',$myhtmlstring);
>
> If anyone knows a better way, I'm all ears.

This might not be of interest because it sounds like you are using the
default renderer rather than a template engine. If you're using just the
default renderer and plan to stick with it, the above technique seems ok.
But if you switch to a template engine, the 'html' psuedo-element probably
will not be supported by your renderer, but you will of course have the
ability to put your own javascript directly in the template itself.


---
David Mintz
http://davidmintz.org/


From mlynch1 at gmail.com  Tue Sep 20 12:18:56 2005
From: mlynch1 at gmail.com (Mike Lynch)
Date: Tue, 20 Sep 2005 17:18:56 +0100
Subject: [nycphp-talk] Quickform: Select All Checkboxes
In-Reply-To: <Pine.BSF.4.58.0509201152010.13915@emra.pair.com>
References: <33DFD788D44E404CB92B90176DEC061A6DAFAA@NYCPDMSXMB06.ad.tiaa-cref.org>
	<199901c5bdf3$bf5ca6b0$0600000a@rayl> <43302E14.9040703@supertom.com>
	<Pine.BSF.4.58.0509201152010.13915@emra.pair.com>
Message-ID: <9db292e905092009182984b48e@mail.gmail.com>

Hi All
 Thanks for the replies. I'm using the default QF renderer so I guess Tom's 
solution best fits my needs.
I was afraid was I missing something obvious in Quickform.
 Regards
 Mike

 On 9/20/05, David Mintz <dmintz at davidmintz.org> wrote: 
> 
> On Tue, 20 Sep 2005, Tom Melendez wrote:
> 
> > Hi Mike,
> >
> > It's possible that you are asking the question of, "Does QF have
> > something built-in for this, or is there a 'Quickform' way of doing
> > this?". I use QF and am not familar with their way of handling this.
> > Instead, I just output a general javascript function that takes the name
> > of the checkbox array and whether to turn them all on or off. Since the
> > function is general, it doesn't care if there is one, or 1000. The html
> > for the selectall/clearall links and the extra javascript I just add to
> > the form with the 'html' element:
> >
> > $form->addElement('html',$myhtmlstring);
> >
> > If anyone knows a better way, I'm all ears.
> 
> This might not be of interest because it sounds like you are using the
> default renderer rather than a template engine. If you're using just the
> default renderer and plan to stick with it, the above technique seems ok.
> But if you switch to a template engine, the 'html' psuedo-element probably
> will not be supported by your renderer, but you will of course have the
> ability to put your own javascript directly in the template itself.
> 
> 
> ---
> David Mintz
> http://davidmintz.org/
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050920/8642b746/attachment.html>

From lists at zaunere.com  Wed Sep 21 09:28:29 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Wed, 21 Sep 2005 09:28:29 -0400
Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection
In-Reply-To: <432DC15A.8080409@php.net>
Message-ID: <0MKoyl-1EI4eH3FnI-0008Lx@mrelay.perfora.net>



Chris Shiflett wrote on Sunday, September 18, 2005 3:35 PM:
> Jeff Siegel wrote:
> > See: http://www.nyphp.org/phundamentals/email_header_injection.php
> 
> I recommend that we change:
> 
> "All PHP scripts which send email based on input data are vulnerable."
> 
> to:
> 
> "All PHP scripts which send email based on tainted data are
> vulnerable." 
> 
> or:
> 
> "All PHP scripts which send email based on input data might be
> vulnerable." 
> 
> It might be better to reword it some other way, but it's false as
> written. 

Or better yet:

All PHP scripts which use external data as any part of a constructed email
header, such as when a form accepts data that will populate a To:, From: or
Subject: header field, may be vulnerable.

H



From codebowl at gmail.com  Wed Sep 21 16:11:50 2005
From: codebowl at gmail.com (Joseph Crawford)
Date: Wed, 21 Sep 2005 16:11:50 -0400
Subject: [nycphp-talk] Zend Certification
In-Reply-To: <432AE509.2060502@php.net>
References: <5458518f0509151831af53b9b@mail.gmail.com>
	<432AE509.2060502@php.net>
Message-ID: <8d9a4280050921131166071eff@mail.gmail.com>

I just took the exam and passed. I would in no way say that this test will
prove you are an expert... afterall i dont think asking anyone X questions
would ever make them an expert. I do however hope that it will lead me to
getting more work. It took me a total of around 50 minutes to do the test
and then check my answers i had something like 38 minutes remaining IIRC. I
would like to see a more advanced PHP certification in the future, as i
would be inclined to take the training for that to make sure i am on the up
and up ;)

--
Joseph Crawford Jr.
Zend Certified Engineer
Codebowl Solutions, Inc.
1-802-671-2021
codebowl at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050921/4bba883c/attachment.html>

From agfische at email.smith.edu  Wed Sep 21 16:31:06 2005
From: agfische at email.smith.edu (Aaron Fischer)
Date: Wed, 21 Sep 2005 16:31:06 -0400
Subject: [nycphp-talk] Zend Certification
In-Reply-To: <8d9a4280050921131166071eff@mail.gmail.com>
References: <5458518f0509151831af53b9b@mail.gmail.com>	<432AE509.2060502@php.net>
	<8d9a4280050921131166071eff@mail.gmail.com>
Message-ID: <4331C30A.5050007@email.smith.edu>

Huh?  Zend Certified Engineer?

Engineer seems a bit over the top, I'm surprised that Zend would choose 
such a term. 

Thoughts? 

-Aaron




From papillion at gmail.com  Wed Sep 21 16:39:44 2005
From: papillion at gmail.com (Anthony Papillion)
Date: Wed, 21 Sep 2005 15:39:44 -0500
Subject: [nycphp-talk] Zend Certification
In-Reply-To: <4331C30A.5050007@email.smith.edu>
References: <5458518f0509151831af53b9b@mail.gmail.com>
	<432AE509.2060502@php.net> <8d9a4280050921131166071eff@mail.gmail.com>
	<4331C30A.5050007@email.smith.edu>
Message-ID: <5458518f0509211339548fe213@mail.gmail.com>

On 9/21/05, Aaron Fischer <agfische at email.smith.edu> wrote:
> Huh? Zend Certified Engineer?
>
> Engineer seems a bit over the top, I'm surprised that Zend would choose
> such a term.

I'm not sure that engineer is as over the top as it might seem at first
glance. I know that software developers calling themselves engineers has
been the bane of the engineering community for years but consider this: what
does an engineer essentially do? Create, build, and structure things. What
do programmers (be they traditional software or web apps) do? Create, build,
and structure things. So while the classic definition of engineer might not
totally fit, they are essentially doing the same things. They are just using
different tools.

--
Anthony Papillion
Advanced Data Concepts
Phone: (918) 926-0139
ICQ: 96-698-595

CAN ONE VOICE CHANGE THE WORLD?
http://www.one.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050921/a1de0493/attachment.html>

From shiflett at php.net  Wed Sep 21 17:47:24 2005
From: shiflett at php.net (Chris Shiflett)
Date: Wed, 21 Sep 2005 17:47:24 -0400
Subject: [nycphp-talk] Zend Certification
In-Reply-To: <5458518f0509211339548fe213@mail.gmail.com>
References: <5458518f0509151831af53b9b@mail.gmail.com>
	<432AE509.2060502@php.net> <8d9a4280050921131166071eff@mail.gmail.com>
	<4331C30A.5050007@email.smith.edu>
	<5458518f0509211339548fe213@mail.gmail.com>
Message-ID: <4331D4EC.10406@php.net>

Anthony Papillion wrote:
> I'm not sure that engineer is as over the top as it might seem at
> first glance. I know that software developers calling themselves
> engineers has been the bane of the engineering community for years

Really? That's weird. "A person who uses scientific knowledge to solve 
practical problems" sounds pretty generic to me.

I have had my share of electrical engineering classes, but I never 
considered software engineering to be infringing upon my elite status as 
circuit boy. :-) In fact, when I was in EE, I would have considered the 
bane of the EE community to be those calling themselves electrical 
engineers who sucked.

Maybe we can call ourselves software manufacturers and be the bane of 
the manufacturing industry. :-)

My grandfather was an engineer - he operated a locomotive. I think he 
has more right to the term than any of us.

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/


From krook at us.ibm.com  Wed Sep 21 17:56:28 2005
From: krook at us.ibm.com (Daniel Krook)
Date: Wed, 21 Sep 2005 17:56:28 -0400
Subject: [nycphp-talk] Zend Certification
In-Reply-To: <4331D4EC.10406@php.net>
Message-ID: <OFE045963D.8D4D16B5-ON85257083.00782E0B-85257083.0078866E@us.ibm.com>

> > I'm not sure that engineer is as over the top as it might seem at
> > first glance. I know that software developers calling themselves
> > engineers has been the bane of the engineering communityfor years
> 
...
> 
> My grandfather was an engineer - he operated a locomotive.
> I think he 
> has more right to the term than any of us.


The next logical step in this debate is whether Information Architects or 
Software Architects truly are.

Of course, those two roles have more right to the word "architecture" than 
building architects who claim that they've "built" a structure have a 
right to that word, annoying those of us who did at one time wield a 
hammer, nails and Sawzalls for a living.   : )





Daniel Krook, Advisory IT Specialist 
Application Development, Production Services - Tools, ibm.com

Personal: http://info.krook.org/
BluePages: http://bluepages.redirect.webahead.ibm.com/
BlogPages: http://blogpages.redirect.webahead.ibm.com/




From jeff.knight at gmail.com  Wed Sep 21 18:02:59 2005
From: jeff.knight at gmail.com (Jeff Knight)
Date: Wed, 21 Sep 2005 18:02:59 -0400
Subject: [nycphp-talk] Zend Certification
In-Reply-To: <OFE045963D.8D4D16B5-ON85257083.00782E0B-85257083.0078866E@us.ibm.com>
References: <4331D4EC.10406@php.net>
	<OFE045963D.8D4D16B5-ON85257083.00782E0B-85257083.0078866E@us.ibm.com>
Message-ID: <2ca9ba9105092115029d53308@mail.gmail.com>

I used to be a ninja, but now I'm a Cowboy!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050921/964def00/attachment.html>

From matt at jobsforge.com  Wed Sep 21 20:56:28 2005
From: matt at jobsforge.com (Matthew Terenzio)
Date: Wed, 21 Sep 2005 20:56:28 -0400
Subject: [nycphp-talk] Zend Certification
In-Reply-To: <4331C30A.5050007@email.smith.edu>
References: <5458518f0509151831af53b9b@mail.gmail.com>	<432AE509.2060502@php.net>
	<8d9a4280050921131166071eff@mail.gmail.com>
	<4331C30A.5050007@email.smith.edu>
Message-ID: <317f8e9a2339385d2072e05c56c3ce88@jobsforge.com>


On Sep 21, 2005, at 4:31 PM, Aaron Fischer wrote:

> Engineer seems a bit over the top, I'm surprised that Zend would choose
> such a term.

Not sure why it bothers you. I have a Masters degree in Internet 
Engineering. What does that mean? I haven't seen the certification test 
but I'm guessing it's in line with Microsoft Certified Engineer or 
whatever they call it.





From greg.rundlett at gmail.com  Wed Sep 21 22:52:56 2005
From: greg.rundlett at gmail.com (Greg Rundlett)
Date: Wed, 21 Sep 2005 22:52:56 -0400
Subject: [nycphp-talk] Design Patterns Webinar
Message-ID: <5e2aaca40509211952634d7f08@mail.gmail.com>

php|symphony Live Talk Series::*FREE Live Web Seminar: Design Patterns in
PHP with Jason E. Sweat (October 20, 2005)*
Join us for an exciting new webcast in our php|symphony series!

This time, Jason E. Sweat, author of php|architect's Guide to PHP Design
Patterns <http://www.phparch.com/gpdp>, will tackle the topic of Design
Patterns and how they can be applied to the world of PHP programming.

This web seminar will be broadcast live on October 20, 2005 at 1PM Eastern
Time (click here<http://www.timeanddate.com/worldclock/fixedtime.html?month=10&day=20&year=2005&hour=13&min=0&sec=0&p1=250&sort=1>to
see how that translates into your time zone). You will be able to
interact directly with Jason and hear his voice as he gives his
presentation.

The webcast will run for approximately one hour, including a Q&A session.

Participation in the webcast is free, but space is limited. All you need is
a computer with a web browser capable of running Macromedia Flash, speakers
or a headset and an Internet connection (28.8kbps or higher). See
http://www.phparch.com/shop_product.php?itemid=102 to sign up
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050921/25722871/attachment.html>

From 1j0lkq002 at sneakemail.com  Thu Sep 22 01:06:48 2005
From: 1j0lkq002 at sneakemail.com (inforequest)
Date: Wed, 21 Sep 2005 22:06:48 -0700
Subject: [nycphp-talk] Zend Certification
In-Reply-To: <OFE045963D.8D4D16B5-ON85257083.00782E0B-85257083.0078866E@us.ibm.com>
References: <OFE045963D.8D4D16B5-ON85257083.00782E0B-85257083.0078866E@us.ibm.com>
Message-ID: <20600-02258@sneakemail.com>

Daniel Krook krook-at-us.ibm.com |nyphp dev/internal group use| wrote:

>The next logical step in this debate is whether Information Architects or 
>Software Architects truly are.
>
>Of course, those two roles have more right to the word "architecture" than 
>building architects who claim that they've "built" a structure have a 
>right to that word, annoying those of us who did at one time wield a 
>hammer, nails and Sawzalls for a living.   : )
>  
>

Well, the legal argument surrounds licensing. An architect is not 
licensed by the government (but his buildings have to be signed off by a 
licensed Professional Engineer before they can be built, and again 
before they can be occupied by the public.. and a few additional times 
for the heating/AC systems, plumbing, etc). You do not need permission 
to call yourself an architect, but you do need a license to call 
yourself a Professional Engineer. You similarly cannot claim to be a 
Lawyer, or a Doctor unless you are licensed to practice.

And to get that license you need to complete a degree program from a 
school accredited by the Engineering accrediting group. And then take 
two different 8 hour tests, usually years apart. The first is a 
comprehensive test covering 4 years of engineering school (across 
several engineering disciplines, even if you only studied one of those). 
The second is based on practice, and is only offered to you after you 
have completed a certain amount of real-world engineering work and at 
least one licensed PE signs an affidavit  that you did indeed do that 
work and it was quality work. That second test is practical engineering 
work in your discipline. Pass them both and you get to call yourself a 
Professional Engineer.

Now Engineers are not a very litigious group by nature, so plenty of 
people put "engineer" and even "Engineer" on their business cards. The 
Professional Engineers have a legal basis for preventing others from 
conducting commerce as Engineers/Engineering. It is widely  reported 
that using the "little e" version of engineer is tolerated.

Now Realtor is not a real word... it was made up as a trademark. The 
Realtors litigate that one seriously, so no, unless you are a member of 
the Realtor association (not a government license.. just a trade group) 
you cannot call your self a Realtor.

I have a Bachelor of Engineering from an accredited school, a Masters 
Degree in Engineerng Science and was a candidate for the Ph.D. in 
Electrical Engineering at an accredited school. I doubt I could ever 
have done numerical algorithms or digital signal processing work (all 
code) without a very serious math/science/engineering education, but 
some CIS guys are amazing and certainly equivalent to Engineers in their 
analytical and problem solving skills. Those are not typical programmers 
or developers, however, and they are usually Ph.D. level scientists who 
have in fact received equivalent training. I don't see them calling 
themselves Software Engineers though.

-=john andrews
http://www.seo-fun.com



From shiflett at php.net  Thu Sep 22 01:19:05 2005
From: shiflett at php.net (Chris Shiflett)
Date: Thu, 22 Sep 2005 01:19:05 -0400
Subject: [nycphp-talk] Zend Certification
In-Reply-To: <20600-02258@sneakemail.com>
References: <OFE045963D.8D4D16B5-ON85257083.00782E0B-85257083.0078866E@us.ibm.com>
	<20600-02258@sneakemail.com>
Message-ID: <43323EC9.7060703@php.net>

inforequest wrote:
> You do not need permission to call yourself an architect, but you
> do need a license to call yourself a Professional Engineer.

That's why it's Professional Engineer instead of Engineer. PE is like 
MCSE or ZCE, although it's obviously much more respected (and difficult 
to achieve).

> You similarly cannot claim to be a Lawyer, or a Doctor unless you
> are licensed to practice.

Tell that to the PhDs. :-)

> Now Engineers are not a very litigious group by nature, so plenty
> of people put "engineer" and even "Engineer" on their business
> cards. The Professional Engineers have a legal basis for preventing
> others from conducting commerce as Engineers/Engineering. It is
> widely reported that using the "little e" version of engineer is
> tolerated.

They have no choice but to tolerate the use of the word. People have 
tried to trademark words before (the guy who trademarked stealth, for 
example), but I think most people, like me, just think that's silly.

> Those are not typical programmers or developers, however, and they
> are usually Ph.D. level scientists who have in fact received
> equivalent training. I don't see them calling themselves Software
> Engineers though.

Most prefer the term computer scientist, I think. Software engineering 
is a subset of computer science.

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/


From dipeshjr at yahoo.com  Thu Sep 22 08:55:51 2005
From: dipeshjr at yahoo.com (DIPESH RABADIYA)
Date: Thu, 22 Sep 2005 05:55:51 -0700 (PDT)
Subject: [nycphp-talk] PHP / Word 2003 COM
In-Reply-To: <8d9a428005091610298aaa589@mail.gmail.com>
Message-ID: <20050922125552.67198.qmail@web54006.mail.yahoo.com>

Respected Sir,

I'm,Dipesh Rabadiya, working with php for 2 years
and I want to work with you, if you don't mind.

Sir I'm Searching for outsourcing work for php
so, could You pls Help me.....

Waiting for Your Reply

Regards

Dipesh
--- Joseph Crawford <codebowl at gmail.com> wrote:

> Through extensive testing i have found this to work
> everytime that i run it 
> in debug mode through zend studio, however when i
> run it via the URL it 
> crashes Apache and this is the contents of the Error
> Log
> 
> [Fri Sep 16 13:14:18 2005] [notice] Parent: child
> process exited with status 
> 3221225477 -- Restarting.
> [Fri Sep 16 13:14:19 2005] [notice] Apache/2.0.54
> (Win32) PHP/5.0.4 
> configured -- resuming normal operations
> [Fri Sep 16 13:14:19 2005] [notice] Server built:
> Apr 16 2005 14:25:31
> [Fri Sep 16 13:14:19 2005] [notice] Parent: Created
> child process 5396
> [Fri Sep 16 13:14:20 2005] [notice] Child 5396:
> Child process is running
> [Fri Sep 16 13:14:20 2005] [notice] Child 5396:
> Acquired the start mutex.
> [Fri Sep 16 13:14:20 2005] [notice] Child 5396:
> Starting 250 worker threads.
> 
> Anyone that can help i would very much appreciate
> it.
> 
> 
> -- 
> Joseph Crawford Jr.
> Codebowl Solutions, Inc.
> 1-802-671-2021
> codebowl at gmail.com
> > _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org



		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com


From dipeshsenior at yahoo.com  Thu Sep 22 09:35:45 2005
From: dipeshsenior at yahoo.com (Dipesh Rabadiya)
Date: Thu, 22 Sep 2005 06:35:45 -0700 (PDT)
Subject: [nycphp-talk] PHP / Word 2003 COM
In-Reply-To: <4332B1FE.8010000@omnistep.com>
Message-ID: <20050922133545.22874.qmail@web35905.mail.mud.yahoo.com>

Most respected sir,

I'm, Dipesh Senior, working with php for 2 years and 1
 1/2 months.  I want to work with you much more than
Jr.

Sir, I'm Searching for outsourcing work for php and
bash scripting or QBasic so, could u pls hlp me.....

Waiting eagerly For your Reply

kindest Regards
 
Dipesh Sr.

 
> Date: Thu, 22 Sep 2005 05:55:51 -0700 (PDT)
> From: DIPESH RABADIYA <dipeshjr at yahoo.com>
> To: NYPHP Talk <talk at lists.nyphp.org>
> Subject: Re: [nycphp-talk] PHP / Word 2003 COM
> 
> Respected Sir,
> 
> I'm,Dipesh Rabadiya, working with php for 2 years
> and I want to work with you, if you don't mind.
> 
> Sir I'm Searching for outsourcing work for php
> so, could You pls Help me.....
> 
> Waiting for Your Reply
> 
> Regards
> 
> Dipesh
> --- Joseph Crawford <codebowl at gmail.com> wrote:
> 
> > Through extensive testing i have found this to
> work
> > everytime that i run it 
> > in debug mode through zend studio, however when i



		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com


From codebowl at gmail.com  Thu Sep 22 10:10:59 2005
From: codebowl at gmail.com (Joseph Crawford)
Date: Thu, 22 Sep 2005 10:10:59 -0400
Subject: [nycphp-talk] PHP / Word 2003 COM
In-Reply-To: <20050922133545.22874.qmail@web35905.mail.mud.yahoo.com>
References: <4332B1FE.8010000@omnistep.com>
	<20050922133545.22874.qmail@web35905.mail.mud.yahoo.com>
Message-ID: <8d9a4280050922071063054528@mail.gmail.com>

most respected sir,

I am not sure why you would think i have work i can outsource but when i do
have work i also try to outsource to people in the USA, I apologise but i
have nothing at this time. Also when you are sending emails like this it may
be better to keep them off list

--
Joseph Crawford Jr.
Zend Certified Engineer
Codebowl Solutions, Inc.
1-802-671-2021
codebowl at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050922/14de0825/attachment.html>

From dmintz at davidmintz.org  Thu Sep 22 12:04:12 2005
From: dmintz at davidmintz.org (David Mintz)
Date: Thu, 22 Sep 2005 12:04:12 -0400 (EDT)
Subject: [nycphp-talk] email injection bot taking a break?
Message-ID: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>


I was logging and emailing myself every time one of my contact.php pages
was being abused by our little friend who inspired the latest Phundie
article. It was cranking for a couple weeks, but has lately dropped to
zero visits/day.

Anybody else observed a similar trend, or am i just lucky?


---
David Mintz
http://davidmintz.org/


From kenrbnsn at rbnsn.com  Thu Sep 22 12:11:33 2005
From: kenrbnsn at rbnsn.com (Ken Robinson)
Date: Thu, 22 Sep 2005 12:11:33 -0400
Subject: [nycphp-talk] email injection bot taking a break?
In-Reply-To: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>
References: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>
Message-ID: <6.2.5.4.2.20050922120944.06afeb18@rbnsn.com>

At 12:04 PM 9/22/2005, David Mintz wrote:

>I was logging and emailing myself every time one of my contact.php pages
>was being abused by our little friend who inspired the latest Phundie
>article. It was cranking for a couple weeks, but has lately dropped to
>zero visits/day.
>
>Anybody else observed a similar trend, or am i just lucky?

The number of hits has diminished, but it hasn't quite gone down to 
zero. I had 1 or 2 tries yesterday. Of course the person behind this 
may have found some unprotected forms and gave up on the ones we have 
protected.

Ken 



From rolan at omnistep.com  Thu Sep 22 12:14:27 2005
From: rolan at omnistep.com (Rolan Yang)
Date: Thu, 22 Sep 2005 12:14:27 -0400
Subject: [nycphp-talk] email injection bot taking a break?
In-Reply-To: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>
References: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>
Message-ID: <4332D863.6000509@omnistep.com>

Sounds like the calm before the storm. I'm thinking of purposely leaving 
one script open just so to see what kind of malicious stuff passes 
though, but feedback script would rewrite the injected cc: and bcc: 
addresses with a target email address of my own instead of passing it on 
to the victim.

~Rolan

David Mintz wrote:

>I was logging and emailing myself every time one of my contact.php pages
>was being abused by our little friend who inspired the latest Phundie
>article. It was cranking for a couple weeks, but has lately dropped to
>zero visits/day.
>
>Anybody else observed a similar trend, or am i just lucky?
>
>
>  
>


From jbaltz at altzman.com  Thu Sep 22 12:21:37 2005
From: jbaltz at altzman.com (Jerry B. Altzman)
Date: Thu, 22 Sep 2005 12:21:37 -0400
Subject: [nycphp-talk] Zend Certification
In-Reply-To: <20600-02258@sneakemail.com>
References: <OFE045963D.8D4D16B5-ON85257083.00782E0B-85257083.0078866E@us.ibm.com>
	<20600-02258@sneakemail.com>
Message-ID: <4332DA11.9030305@altzman.com>

On 9/22/2005 1:06 AM, inforequest wrote:

> yourself a Professional Engineer. You similarly cannot claim to be a 
> Lawyer, or a Doctor unless you are licensed to practice.

Those of us with Ph.D.s beg to differ on that last point.
:-)

> -=john andrews

//jbaltz
-- 
jerry b. altzman        jbaltz at altzman.com              KE3ML
thank you for contributing to the heat death of the universe.


From sol2ray at gmail.com  Thu Sep 22 13:17:39 2005
From: sol2ray at gmail.com (Sol Toure)
Date: Thu, 22 Sep 2005 13:17:39 -0400
Subject: [nycphp-talk] email injection bot taking a break?
In-Reply-To: <4332D863.6000509@omnistep.com>
References: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>
	<4332D863.6000509@omnistep.com>
Message-ID: <4a67dc39050922101758ada2e8@mail.gmail.com>

It seems to me that the person doing this belongs to this list. I have seen
the first attempt on one of my contact form this week. Or maybe after this
thread started someone from the list tried it and that happened to be my
site?


On 9/22/05, Rolan Yang <rolan at omnistep.com> wrote:
>
> Sounds like the calm before the storm. I'm thinking of purposely leaving
> one script open just so to see what kind of malicious stuff passes
> though, but feedback script would rewrite the injected cc: and bcc:
> addresses with a target email address of my own instead of passing it on
> to the victim.
>
> ~Rolan
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050922/0339dc69/attachment.html>

From jeff.knight at gmail.com  Thu Sep 22 13:40:34 2005
From: jeff.knight at gmail.com (Jeff Knight)
Date: Thu, 22 Sep 2005 13:40:34 -0400
Subject: [nycphp-talk] email injection bot taking a break?
In-Reply-To: <4a67dc39050922101758ada2e8@mail.gmail.com>
References: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>
	<4332D863.6000509@omnistep.com>
	<4a67dc39050922101758ada2e8@mail.gmail.com>
Message-ID: <2ca9ba910509221040107edfb7@mail.gmail.com>

Congratulations, that has to be the most asinine and offensive post to this
list in its entire history. A number of people take time out of their busy
schedules to first alert you to, and then discuss and publish a method to
protect you from a current vulnerability, and the best you can do is accuse
one of them of causing it?

On 9/22/05, Sol Toure <sol2ray at gmail.com> wrote:
>
> It seems to me that the person doing this belongs to this list. I have
> seen the first attempt on one of my contact form this week. Or maybe after
> this thread started someone from the list tried it and that happened to be
> my site?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050922/66e30be0/attachment.html>

From 1j0lkq002 at sneakemail.com  Thu Sep 22 14:28:10 2005
From: 1j0lkq002 at sneakemail.com (inforequest)
Date: Thu, 22 Sep 2005 11:28:10 -0700
Subject: [nycphp-talk] email injection bot taking a break?
In-Reply-To: <4332D863.6000509@omnistep.com>
References: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>
	<4332D863.6000509@omnistep.com>
Message-ID: <13270-95064@sneakemail.com>

Rolan Yang rolan-at-omnistep.com |nyphp dev/internal group use| wrote:

>Sounds like the calm before the storm. I'm thinking of purposely leaving 
>one script open just so to see what kind of malicious stuff passes 
>though, but feedback script would rewrite the injected cc: and bcc: 
>addresses with a target email address of my own instead of passing it on 
>to the victim.
>
>~Rolan
>
>
>  
>

or........

collect email headers and build your own open proxy list ;-)

-=john andrews
http://www.seo-fun.com



From dmintz at davidmintz.org  Thu Sep 22 15:35:44 2005
From: dmintz at davidmintz.org (David Mintz)
Date: Thu, 22 Sep 2005 15:35:44 -0400 (EDT)
Subject: [nycphp-talk] email injection bot taking a break?
In-Reply-To: <2ca9ba910509221040107edfb7@mail.gmail.com>
References: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>
	<4332D863.6000509@omnistep.com>
	<4a67dc39050922101758ada2e8@mail.gmail.com>
	<2ca9ba910509221040107edfb7@mail.gmail.com>
Message-ID: <Pine.BSF.4.58.0509221532330.81534@emra.pair.com>

On Thu, 22 Sep 2005, Jeff Knight wrote:

> Congratulations, that has to be the most asinine and offensive post to this
> list in its entire history.<snip/>
>
> On 9/22/05, Sol Toure <sol2ray at gmail.com> wrote:
> >
> > It seems to me that the person doing this belongs to this list.


Heh. I was gonna say, that's just plain deranged, but you have a point,
Jeff.

---
David Mintz
http://davidmintz.org/


From jsiegel1 at optonline.net  Thu Sep 22 16:21:10 2005
From: jsiegel1 at optonline.net (Jeff Siegel)
Date: Thu, 22 Sep 2005 16:21:10 -0400
Subject: [nycphp-talk] email injection bot taking a break?
In-Reply-To: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>
Message-ID: <0IN800LPYJ7GR8A1@mta10.srv.hcvlny.cv.net>

The last time I got hit with it was on the 18th. 

Jeff




-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of David Mintz
Sent: Thursday, September 22, 2005 11:04 AM
To: talk at lists.nyphp.org
Subject: [nycphp-talk] email injection bot taking a break?


I was logging and emailing myself every time one of my contact.php pages
was being abused by our little friend who inspired the latest Phundie
article. It was cranking for a couple weeks, but has lately dropped to
zero visits/day.

Anybody else observed a similar trend, or am i just lucky?


---
David Mintz
http://davidmintz.org/
_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org



From 1j0lkq002 at sneakemail.com  Thu Sep 22 17:14:00 2005
From: 1j0lkq002 at sneakemail.com (inforequest)
Date: Thu, 22 Sep 2005 14:14:00 -0700
Subject: [nycphp-talk] [OT] if you host on Ev1,
 back up your servers a.s.a.p. because Rita is coming
In-Reply-To: <0IN800LPYJ7GR8A1@mta10.srv.hcvlny.cv.net>
References: <0IN800LPYJ7GR8A1@mta10.srv.hcvlny.cv.net>
Message-ID: <14911-94623@sneakemail.com>

If you are on ev1's service, you may want to backup locally and check 
preparedness. The current storm is headed pretty close to the ev1 
datacenters, and while it seems they are prepared 
(http://forums.ev1servers.net/showthread.php?t=58244) it might be best 
to secure your own backups.

-=john andrews
http://www.seo-fun.com











From kenrbnsn at rbnsn.com  Thu Sep 22 17:37:47 2005
From: kenrbnsn at rbnsn.com (Ken Robinson)
Date: Thu, 22 Sep 2005 17:37:47 -0400
Subject: [nycphp-talk] email injection bot taking a break?
In-Reply-To: <0IN800LPYJ7GR8A1@mta10.srv.hcvlny.cv.net>
References: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>
	<0IN800LPYJ7GR8A1@mta10.srv.hcvlny.cv.net>
Message-ID: <6.2.5.4.2.20050922173710.026ace20@rbnsn.com>

At 04:21 PM 9/22/2005, Jeff Siegel wrote:
>The last time I got hit with it was on the 18th.

One of my sites got hit at about 4 AM this morning (9/22/05).

Ken 



From lists at zaunere.com  Thu Sep 22 17:46:26 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Thu, 22 Sep 2005 17:46:26 -0400
Subject: [nycphp-talk] [OT] if you host on Ev1,
	back up your servers a.s.a.p. because Rita is coming
In-Reply-To: <14911-94623@sneakemail.com>
Message-ID: <0MKoyl-1EIYtg1Nfh-0003RO@mrelay.perfora.net>



inforequest wrote on Thursday, September 22, 2005 5:14 PM:
> If you are on ev1's service, you may want to backup locally and check
> preparedness. The current storm is headed pretty close to the ev1
> datacenters, and while it seems they are prepared
> (http://forums.ev1servers.net/showthread.php?t=58244) it might be best
> to secure your own backups.

I also figured Texas would be a pretty safe place to host.  Guess it's time
to start-up The Montana Hosting Company... land is cheap, but fiber would be
at a premium :)

H



From 1j0lkq002 at sneakemail.com  Thu Sep 22 17:56:08 2005
From: 1j0lkq002 at sneakemail.com (inforequest)
Date: Thu, 22 Sep 2005 14:56:08 -0700
Subject: [nycphp-talk] [OT] if you host on Ev1,
 back up your servers a.s.a.p. because Rita is coming
In-Reply-To: <0MKoyl-1EIYtg1Nfh-0003RO@mrelay.perfora.net>
References: <0MKoyl-1EIYtg1Nfh-0003RO@mrelay.perfora.net>
Message-ID: <23112-93362@sneakemail.com>

Hans Zaunere lists-at-zaunere.com |nyphp dev/internal group use| wrote:

>inforequest wrote on Thursday, September 22, 2005 5:14 PM:
>  
>
>>If you are on ev1's service, you may want to backup locally and check
>>preparedness. The current storm is headed pretty close to the ev1
>>datacenters, and while it seems they are prepared
>>(http://forums.ev1servers.net/showthread.php?t=58244) it might be best
>>to secure your own backups.
>>    
>>
>
>I also figured Texas would be a pretty safe place to host.  Guess it's time
>to start-up The Montana Hosting Company... land is cheap, but fiber would be
>at a premium :)
>
>H
>  
>
San Antonio yes, but Houston? :-)




From Consult at CovenantEDesign.com  Thu Sep 22 18:09:05 2005
From: Consult at CovenantEDesign.com (CED)
Date: Thu, 22 Sep 2005 18:09:05 -0400
Subject: [nycphp-talk] email injection bot taking a break?
References: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com><4332D863.6000509@omnistep.com><4a67dc39050922101758ada2e8@mail.gmail.com>
	<2ca9ba910509221040107edfb7@mail.gmail.com>
Message-ID: <007101c5bfc2$3fda9f20$0319a8c0@ced>

Absurd indeed Jeff. Heh
  ----- Original Message ----- 
  From: Jeff Knight 
  To: NYPHP Talk 
  Sent: Thursday, September 22, 2005 1:40 PM
  Subject: Re: [nycphp-talk] email injection bot taking a break?


  Congratulations, that has to be the most asinine and offensive post to this list in its entire history. A number of people take time out of their busy schedules to first alert you to, and then discuss and publish a method to protect you from a current vulnerability, and the best you can do is accuse one of them of causing it? 


  On 9/22/05, Sol Toure <sol2ray at gmail.com> wrote: 
    It seems to me that the person doing this belongs to this list. I have seen the first attempt on one of my contact form this week. Or maybe after this thread started someone from the list tried it and that happened to be my site?







------------------------------------------------------------------------------


  _______________________________________________
  New York PHP Talk Mailing List
  AMP Technology
  Supporting Apache, MySQL and PHP
  http://lists.nyphp.org/mailman/listinfo/talk
  http://www.nyphp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050922/6d029ce9/attachment.html>

From JoeyD473 at nyc.rr.com  Thu Sep 22 19:15:21 2005
From: JoeyD473 at nyc.rr.com (Joey Derrico)
Date: Thu, 22 Sep 2005 19:15:21 -0400
Subject: [nycphp-talk] [OT] if you host on Ev1,
	back up your servers a.s.a.p. because Rita is coming
References: <0MKoyl-1EIYtg1Nfh-0003RO@mrelay.perfora.net>
Message-ID: <001d01c5bfcb$81b95400$50b1ad44@nyc.rr.com>

You should get a server in the area of New York City, more expesive, but
virtually no natural disasters (and if one occurs it does little to no
damage)

Joey Derrico
----- Original Message ----- 
From: "Hans Zaunere" <lists at zaunere.com>
To: "'NYPHP Talk'" <talk at lists.nyphp.org>
Sent: Thursday, September 22, 2005 5:46 PM
Subject: Re: [nycphp-talk] [OT] if you host on Ev1,back up your servers
a.s.a.p. because Rita is coming




inforequest wrote on Thursday, September 22, 2005 5:14 PM:
> If you are on ev1's service, you may want to backup locally and check
> preparedness. The current storm is headed pretty close to the ev1
> datacenters, and while it seems they are prepared
> (http://forums.ev1servers.net/showthread.php?t=58244) it might be best
> to secure your own backups.

I also figured Texas would be a pretty safe place to host.  Guess it's time
to start-up The Montana Hosting Company... land is cheap, but fiber would be
at a premium :)

H

_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org




From hendler at simmons.edu  Thu Sep 22 19:22:04 2005
From: hendler at simmons.edu (Jonathan)
Date: Thu, 22 Sep 2005 19:22:04 -0400
Subject: [nycphp-talk] [OT] if you host on Ev1,
 back up your servers a.s.a.p. because Rita is coming
In-Reply-To: <001d01c5bfcb$81b95400$50b1ad44@nyc.rr.com>
References: <0MKoyl-1EIYtg1Nfh-0003RO@mrelay.perfora.net>
	<001d01c5bfcb$81b95400$50b1ad44@nyc.rr.com>
Message-ID: <43333C9C.6020306@simmons.edu>

If you are considering moving your servers - try an environmentally 
friendly approach -

http://www.solarhost.com/

Hmm - I hope these servers aren't in sunny Texas.
I'd rather say "Powered by the Sun" than "Powered by Sun" though.

Joey Derrico wrote:

>You should get a server in the area of New York City, more expesive, but
>virtually no natural disasters (and if one occurs it does little to no
>damage)
>
>Joey Derrico
>----- Original Message ----- 
>From: "Hans Zaunere" <lists at zaunere.com>
>To: "'NYPHP Talk'" <talk at lists.nyphp.org>
>Sent: Thursday, September 22, 2005 5:46 PM
>Subject: Re: [nycphp-talk] [OT] if you host on Ev1,back up your servers
>a.s.a.p. because Rita is coming
>
>
>
>
>inforequest wrote on Thursday, September 22, 2005 5:14 PM:
>  
>
>>If you are on ev1's service, you may want to backup locally and check
>>preparedness. The current storm is headed pretty close to the ev1
>>datacenters, and while it seems they are prepared
>>(http://forums.ev1servers.net/showthread.php?t=58244) it might be best
>>to secure your own backups.
>>    
>>
>
>I also figured Texas would be a pretty safe place to host.  Guess it's time
>to start-up The Montana Hosting Company... land is cheap, but fiber would be
>at a premium :)
>
>H
>
>_______________________________________________
>New York PHP Talk Mailing List
>AMP Technology
>Supporting Apache, MySQL and PHP
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.nyphp.org
>
>
>_______________________________________________
>New York PHP Talk Mailing List
>AMP Technology
>Supporting Apache, MySQL and PHP
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.nyphp.org
>  
>



From yournway at gmail.com  Thu Sep 22 19:24:33 2005
From: yournway at gmail.com (Alberto dos Santos)
Date: Fri, 23 Sep 2005 00:24:33 +0100
Subject: [nycphp-talk] [OT] if you host on Ev1,
	back up your servers a.s.a.p. because Rita is coming
In-Reply-To: <001d01c5bfcb$81b95400$50b1ad44@nyc.rr.com>
References: <0MKoyl-1EIYtg1Nfh-0003RO@mrelay.perfora.net>
	<001d01c5bfcb$81b95400$50b1ad44@nyc.rr.com>
Message-ID: <edce5765050922162411eddc0d@mail.gmail.com>

Discounting a couple of towers colapsing here and there,of course.

Ouch, this was mean, but I couldn't resist it...

On 23/09/05, Joey Derrico <JoeyD473 at nyc.rr.com> wrote:
>
> You should get a server in the area of New York City, more expesive, but
> virtually no natural disasters (and if one occurs it does little to no
> damage)
>
> Joey Derrico
> ----- Original Message -----
> From: "Hans Zaunere" <lists at zaunere.com>
> To: "'NYPHP Talk'" <talk at lists.nyphp.org>
> Sent: Thursday, September 22, 2005 5:46 PM
> Subject: Re: [nycphp-talk] [OT] if you host on Ev1,back up your servers
> a.s.a.p. because Rita is coming
>
>
>
>
> inforequest wrote on Thursday, September 22, 2005 5:14 PM:
> > If you are on ev1's service, you may want to backup locally and check
> > preparedness. The current storm is headed pretty close to the ev1
> > datacenters, and while it seems they are prepared
> > (http://forums.ev1servers.net/showthread.php?t=58244) it might be best
> > to secure your own backups.
>
> I also figured Texas would be a pretty safe place to host. Guess it's time
> to start-up The Montana Hosting Company... land is cheap, but fiber would
> be
> at a premium :)
>
> H
>
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
>
>
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
>



--
Alberto dos Santos
Consultor em TI
IT Consultant

http://www.yournway.com
A internet ? sua maneira.
The Internet your own way.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050923/2bf2c29e/attachment.html>

From chsnyder at gmail.com  Thu Sep 22 19:28:21 2005
From: chsnyder at gmail.com (csnyder)
Date: Thu, 22 Sep 2005 19:28:21 -0400
Subject: [nycphp-talk] [OT] if you host on Ev1,
	back up your servers a.s.a.p. because Rita is coming
In-Reply-To: <0MKoyl-1EIYtg1Nfh-0003RO@mrelay.perfora.net>
References: <14911-94623@sneakemail.com>
	<0MKoyl-1EIYtg1Nfh-0003RO@mrelay.perfora.net>
Message-ID: <b76252690509221628643ac634@mail.gmail.com>

On 9/22/05, Hans Zaunere <lists at zaunere.com> wrote:
> The Montana Hosting Company...

Toronto is the way to go, I think. Plenty of fiber, intelligent
workforce, few natural disasters. And you get to pay with Canadian
dollars.

--
Chris Snyder
http://chxo.com/


From 1j0lkq002 at sneakemail.com  Fri Sep 23 00:57:03 2005
From: 1j0lkq002 at sneakemail.com (inforequest)
Date: Thu, 22 Sep 2005 21:57:03 -0700
Subject: [nycphp-talk] [OT] didn't see it mentioned.. firefox critical
 vulnerability, new version out as of Wednesday
In-Reply-To: <b76252690509221628643ac634@mail.gmail.com>
References: <14911-94623@sneakemail.com>	<0MKoyl-1EIYtg1Nfh-0003RO@mrelay.perfora.net>
	<b76252690509221628643ac634@mail.gmail.com>
Message-ID: <9358-73911@sneakemail.com>

Only on Linux/Unix, FF 1.0.6 has a backtick shell execution 
vulnerability. 1.0.7 was released Wednesday.


http://secunia.com/advisories/16869/


-=john andrews
http://www.seo-fun.com



From papillion at gmail.com  Fri Sep 23 01:56:45 2005
From: papillion at gmail.com (Anthony Papillion)
Date: Fri, 23 Sep 2005 00:56:45 -0500
Subject: [nycphp-talk] Question about obtaining MAC address
Message-ID: <5458518f0509222256666071cd@mail.gmail.com>

Does anyone know of a reliable way to obtain a site visitors MAC address? I
ask because I am creating an application that needs to be very secure and I
was thinking about using each users MAC address as the authentication key in
addition to a login/password.

Thanks!
Anthony Papillion
Phone: (918) 926-0139
ICQ: 96-698-595

CAN ONE VOICE CHANGE THE WORLD?
http://www.one.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050923/9a846c2a/attachment.html>

From arzala at gmail.com  Fri Sep 23 05:27:41 2005
From: arzala at gmail.com (Anirudh Zala)
Date: Fri, 23 Sep 2005 14:57:41 +0530
Subject: [nycphp-talk] email injection bot taking a break?
In-Reply-To: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>
References: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>
Message-ID: <4333CA8D.7090201@gmail.com>

Yeah, some break in strom. Still attackes have not been stopped totally 
yet but frequency has been lowered down considerably. May be due to 
actions taken to improve code against such attacks or hacker/crackers 
himself just wanted to search vulnerable domain to be used for sending 
emails for some other purpose.

We have now enough record of IPs that have been used for such attacks, 
and my analysis suggest that we received attacks on our many domains 
from various parts of the world. And the servers used for this malacious 
purpose belong to schools, universities and some small scale companies. 
Below, you can see some IPs and contact persons who directly or 
undirectly connected with control of those servers. I have used 
http://www.geobytes.com/IpLocator.htm?GetLocation website to track 
location of these servers and then used WHOIS system to search persons 
who are directly or indirectly connected to it.

80.82.3.143	netreg at epix.net
205.238.226.40	sr.internet at infocamere.it
212.75.80.242	rolf.carlsson at atlascopco.com
66.199.163.240	eddie at onespeed.com

Thanks

Anirudh Zala

----------------------------------------------------------------
Anirudh Zala (Production Manager),    ASPL, 814-815, Star Plaza,
Ph: +91 281 245 1894                  Phhulchhab Square,
anirudh at aspl.in                       Rajkot 360001, Gujarat
http://www.aspl.in                    INDIA
----------------------------------------------------------------



David Mintz wrote:

>I was logging and emailing myself every time one of my contact.php pages
>was being abused by our little friend who inspired the latest Phundie
>article. It was cranking for a couple weeks, but has lately dropped to
>zero visits/day.
>
>Anybody else observed a similar trend, or am i just lucky?
>
>
>---
>David Mintz
>http://davidmintz.org/
>_______________________________________________
>New York PHP Talk Mailing List
>AMP Technology
>Supporting Apache, MySQL and PHP
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.nyphp.org
>
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050923/6657e3a7/attachment.html>

From lists at zaunere.com  Fri Sep 23 05:42:02 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Fri, 23 Sep 2005 05:42:02 -0400
Subject: [nycphp-talk] Question about obtaining MAC address
In-Reply-To: <5458518f0509222256666071cd@mail.gmail.com>
Message-ID: <0MKp2t-1EIk4C1mQ9-0005jw@mrelay.perfora.net>


Hi Anthony,

Anthony Papillion wrote on Friday, September 23, 2005 1:57 AM:
> Does anyone know of a reliable way to obtain a site visitors MAC
> address? I ask because I am creating an application that needs to be
> very secure and I was thinking about using each users MAC address as
> the authentication key in addition to a login/password.

Sorry to say, but that's the wrong strategy for secure authentication.
There are a number of reasons, with the top-two being:

-- MAC addresses can be spoofed
-- you can't capture a MAC address of someone across the Internet.
MAC/hardware addresses don't go past a router (level 2 of the network stack,
I believe) and thus are only visible on a local LAN.  And, if a switch is in
place, as is generally the case these days, you'd only see ARP requests for
the MAC anyway.

The best way to handle security is generally a well constructed
username/password strategy.  If, however, you have close contact with each
user, SSL client/server certs may be a practical secure solution.


---
Hans Zaunere / President / New York PHP
   www.nyphp.org  /  www.nyphp.com




From lists at zaunere.com  Fri Sep 23 06:18:54 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Fri, 23 Sep 2005 06:18:54 -0400
Subject: [nycphp-talk] Input Filtering
In-Reply-To: <20050917223814.GA7988@panix.com>
Message-ID: <0MKp2t-1EIkds02qo-0006VT@mrelay.perfora.net>



Daniel Convissor wrote on Saturday, September 17, 2005 6:38 PM:
> Hey Jeff:
> 
> On Mon, Jul 25, 2005 at 01:00:28PM -0400, Jeff Loiselle wrote:
> > Can anyone recommend any good packages for input filtering?
> 
> Check out my Form Solution.  Not the end all and be all, but it's
> pretty handy.  http://www.analysisandsolutions.com/software/form/

Or for true system wide input filtering, there are some developments being
discussed:

http://files.derickrethans.nl/filter_extension.html

http://marc.theaimsgroup.com/?l=php-dev&w=2&r=1&s=input+filtering&q=b


And, doesn't this all sound familiar? :)

http://lists.nyphp.org/pipermail/talk/2005-July/015639.html


Nevertheless, it's a developing area for PHP, and I'll be interested to hear
updates from the front lines at Chris' talk next week.


---
Hans Zaunere / President / New York PHP
   www.nyphp.org  /  www.nyphp.com




From lists at zaunere.com  Fri Sep 23 06:28:53 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Fri, 23 Sep 2005 06:28:53 -0400
Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection
In-Reply-To: <432EADFB.8040907@phpwerx.net>
Message-ID: <0MKp2t-1EIknW2BEN-0006Gg@mrelay.perfora.net>



Dan Cech wrote on Monday, September 19, 2005 8:24 AM:
> Jeff & list,
> 
> I believe I managed to avoid weighing into the various debates raging
> back and forth in the thread.
> 
> The idea of checking for particular email addresses in the mail logs
> does seem pretty naive, especially as they are such a throwaway item
> these days.

This is absolutely true.  However, it is an easy first step to detect the
use of this exploit.  It's not exhaustive by any means (as only recoding
some key input validation code would be), but it can be a first step to
catching this early on.

> Personally I'm of the opinion that these kinds of forms should require
> inputs that are supposed to be email addresses to look like email
> addresses.  Not only will that remove the possibility of this exploit,
> it will also cut down (ever so slightly) on malformed addresses being
> sent through to the mail subsystem.  Good user feedback for 'invalid'
> addresses should allow anyone using the form to 'correct' them, so I
> see little point in blindly accepting something that isn't obviously
> an email address.
>
> The other common vulnerable field seems to be the Subject, though I
> see very little reason not to restrict that (or any other
> non-address) field to something like
> /^([-a-z0-9!@#$%^&*()_\[\]{}\\|;:'",.<>\/?+= ]+)$/i, especially
> considering the fact that non-ascii characters are usually frowned
> upon in email headers. 
> 
> Also, correct me if I'm wrong but I believe the %0A encoding is purely
> used in the request string, once it gets into PHP it will just see
> either \n or \r, the literal string %0A does not pose any risk to
> emails as a string itself.

The combination of email address checking and subject field checking is one
way of preventing this exploit.  And of course, it's always a good idea to
validate input, and prevent odd characters from entering your runtime
environment.

However for this particular exploit, it's easy to prevent.  It's simply not
possible for this exploit to work without the Content-Type: string.
Searched for, in a case-insensitive manner, across all submitted form
fields, will detect and thrawt this exploit immediately.

The only caveat that I've found is when character encoding might be
involved.  I haven't seen that it's very common, but it's out there:

http://www.faqs.org/rfcs/rfc2047.html

Does anyone have access to a SMTP server that is known to work with
non-ASCII headers for testing?

And as an FYI, Wikipedia scores again with an excellent resource on MIME and
email from a technical perspective:

http://en.wikipedia.org/wiki/MIME



---
Hans Zaunere / President / New York PHP
   www.nyphp.org  /  www.nyphp.com




From lists at zaunere.com  Fri Sep 23 06:32:23 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Fri, 23 Sep 2005 06:32:23 -0400
Subject: [nycphp-talk] email injection bot taking a break?
In-Reply-To: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>
Message-ID: <0MKoyl-1EIkqv19a1-0002Cx@mrelay.perfora.net>



David Mintz wrote on Thursday, September 22, 2005 12:04 PM:
> I was logging and emailing myself every time one of my contact.php
> pages was being abused by our little friend who inspired the latest
> Phundie article. It was cranking for a couple weeks, but has lately
> dropped to zero visits/day.
> 
> Anybody else observed a similar trend, or am i just lucky?

Lucky :)

Perhaps there's been a small decline in attempts, but they're still going
strong.  I'm seeing about two dozen a day across a couple of forms.



---
Hans Zaunere / President / New York PHP
   www.nyphp.org  /  www.nyphp.com




From lists at zaunere.com  Fri Sep 23 07:36:56 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Fri, 23 Sep 2005 07:36:56 -0400
Subject: [nycphp-talk] worm/virus's hammering feedback
	scripts?POLISHEDVERSION
In-Reply-To: <c905c3ce05091423037054eba6@mail.gmail.com>
Message-ID: <0MKoyl-1EIlrN2ryD-0004IS@mrelay.perfora.net>



matthijs abeelen scribbled on Thursday, September 15, 2005 2:04 AM:
> This problem is spreading very fast, a good summery of the best
> solution(s) is needed indeed. Unfortunately, I'm not the one who can
> do that. Waiting eagerly for the article on Phundamentals!  
> 
> "We're working on getting a Phundamentals article online covering the
> discussion over the last couple of days.  Thanks Roland and everyone
> for their feedback and discussion."

We're working on it.

And I've attached what a first stab at a PHP 5 class would look like, with
example usage here:

$MyMail = new MailProtect;
$MyMail->SetFrom($_POST['From']);
$MyMail->SetTo($_POST['To']);
$MyMail->SetCc('admin at somwhere.com');
$MyMail->SetSubject($_POST['Subject']);
$MyMail->SetBody('Thank you for your submission!');

if( $MyMail->SendMail() === TRUE )
    echo 'Mail Sent';
else
    echo 'WARNING: Header validation failed; possible exploitation attempt';


Feel free to play around with the code, but I've never executed it, so there
might even be a parse error, or it might just not work, and obviously more
could be added or extended to it.  So consider that my disclaimer :)


---
Hans Zaunere / President / New York PHP
   www.nyphp.org  /  www.nyphp.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: MailProtect.inc
Type: application/octet-stream
Size: 2141 bytes
Desc: not available
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050923/ba3c5b75/attachment.obj>

From hans.zaunere at nyphp.com  Fri Sep 23 09:05:27 2005
From: hans.zaunere at nyphp.com (Hans Zaunere)
Date: Fri, 23 Sep 2005 09:05:27 -0400
Subject: [nycphp-talk] Google TV
Message-ID: <0MKp2t-1EInF30om5-0002Uw@mrelay.perfora.net>


Good morning,

Wasn't aware of this until I was flipping around cable the other night.

http://google.blognewschannel.com/index.php/archives/2005/04/04/google-comin
g-to-a-tv-near-you/


---
Hans Zaunere / President / New York PHP
   www.nyphp.org  /  www.nyphp.com




From dmintz at davidmintz.org  Fri Sep 23 12:24:37 2005
From: dmintz at davidmintz.org (David Mintz)
Date: Fri, 23 Sep 2005 12:24:37 -0400 (EDT)
Subject: [nycphp-talk] [OT] if you host on Ev1,
 back up your servers a.s.a.p. because Rita is coming
In-Reply-To: <b76252690509221628643ac634@mail.gmail.com>
References: <14911-94623@sneakemail.com>
	<0MKoyl-1EIYtg1Nfh-0003RO@mrelay.perfora.net>
	<b76252690509221628643ac634@mail.gmail.com>
Message-ID: <Pine.BSF.4.58.0509231224120.94568@emra.pair.com>

On Thu, 22 Sep 2005, csnyder wrote:

> On 9/22/05, Hans Zaunere <lists at zaunere.com> wrote:
> > The Montana Hosting Company...
>
> Toronto is the way to go, I think. Plenty of fiber, intelligent
> workforce, few natural disasters. And you get to pay with Canadian
> dollars.
>

You outsourcer, you...

(-:

---
David Mintz
http://davidmintz.org/


From dmintz at davidmintz.org  Fri Sep 23 12:34:37 2005
From: dmintz at davidmintz.org (David Mintz)
Date: Fri, 23 Sep 2005 12:34:37 -0400 (EDT)
Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection
In-Reply-To: <0MKp2t-1EIknW2BEN-0006Gg@mrelay.perfora.net>
References: <0MKp2t-1EIknW2BEN-0006Gg@mrelay.perfora.net>
Message-ID: <Pine.BSF.4.58.0509231229000.94568@emra.pair.com>

On Fri, 23 Sep 2005, Hans Zaunere wrote:

>
> However for this particular exploit, it's easy to prevent.  It's simply not
> possible for this exploit to work without the Content-Type: string.
> Searched for, in a case-insensitive manner, across all submitted form
> fields, will detect and thrawt this exploit immediately.
>

Yes, and I gratefully borrowed your snippet to tighten up a couple of my
own scripts. The only conceivable drawback is that if user input is
destined to become the message body -- a textarea for the user
to type a message -- and for some reason the user legitimately wants to
say something like "Have you guys heard about the Content-type:
attack?" Granted, it's unusual, but still... Kind of like the caveat
against training Spamassassin with ham that discusses spam.

---
David Mintz
http://davidmintz.org/


From kenrbnsn at rbnsn.com  Fri Sep 23 13:38:00 2005
From: kenrbnsn at rbnsn.com (Ken Robinson)
Date: Fri, 23 Sep 2005 13:38:00 -0400
Subject: [nycphp-talk] email injection bot taking a break?
In-Reply-To: <0MKoyl-1EIkqv19a1-0002Cx@mrelay.perfora.net>
References: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>
	<0MKoyl-1EIkqv19a1-0002Cx@mrelay.perfora.net>
Message-ID: <6.2.5.4.2.20050923133203.05ab5040@rbnsn.com>

At 06:32 AM 9/23/2005, Hans Zaunere wrote:
>Perhaps there's been a small decline in attempts, but they're still going
>strong.  I'm seeing about two dozen a day across a couple of forms.

Just got a bunch of attempts from "Remote Address:202.101.173.68".

Ken

I



From scott at crisscott.com  Fri Sep 23 13:43:38 2005
From: scott at crisscott.com (Scott Mattocks)
Date: Fri, 23 Sep 2005 13:43:38 -0400
Subject: [nycphp-talk] email injection bot taking a break?
In-Reply-To: <6.2.5.4.2.20050923133203.05ab5040@rbnsn.com>
References: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>	<0MKoyl-1EIkqv19a1-0002Cx@mrelay.perfora.net>
	<6.2.5.4.2.20050923133203.05ab5040@rbnsn.com>
Message-ID: <43343ECA.9000701@crisscott.com>

Ken Robinson wrote:

> At 06:32 AM 9/23/2005, Hans Zaunere wrote:
> 
>>Perhaps there's been a small decline in attempts, but they're still going
>>strong.  I'm seeing about two dozen a day across a couple of forms.
> 
> 
> Just got a bunch of attempts from "Remote Address:202.101.173.68".

A quick whois check puts that address somewhere in the Zhejiang province 
of China. While not impossible, I am guessing that the perpetrator is 
not a member of this list.

Scott


From rolan at omnistep.com  Fri Sep 23 14:15:25 2005
From: rolan at omnistep.com (Rolan Yang)
Date: Fri, 23 Sep 2005 14:15:25 -0400
Subject: [nycphp-talk] email injection bot taking a break?
In-Reply-To: <6.2.5.4.2.20050923133203.05ab5040@rbnsn.com>
References: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>	<0MKoyl-1EIkqv19a1-0002Cx@mrelay.perfora.net>
	<6.2.5.4.2.20050923133203.05ab5040@rbnsn.com>
Message-ID: <4334463D.8090108@omnistep.com>

I have received hundreds of them from all over the world. Blocking ip's 
is even more futile than filtering mail server logs with a list of known 
emails.

Ken Robinson wrote:

>At 06:32 AM 9/23/2005, Hans Zaunere wrote:
>  
>
>>Perhaps there's been a small decline in attempts, but they're still going
>>strong.  I'm seeing about two dozen a day across a couple of forms.
>>    
>>
>
>Just got a bunch of attempts from "Remote Address:202.101.173.68".
>
>Ken
>
>  
>


From jsiegel1 at optonline.net  Fri Sep 23 14:36:07 2005
From: jsiegel1 at optonline.net (Jeff Siegel)
Date: Fri, 23 Sep 2005 14:36:07 -0400
Subject: [nycphp-talk] email injection bot taking a break?
In-Reply-To: <4334463D.8090108@omnistep.com>
Message-ID: <0INA00LUR90E5J30@mta4.srv.hcvlny.cv.net>

The attempts that I had caught came from XO communications here in the U.S.
and from Poland. 

Jeff


-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Rolan Yang
Sent: Friday, September 23, 2005 1:15 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] email injection bot taking a break?

I have received hundreds of them from all over the world. Blocking ip's 
is even more futile than filtering mail server logs with a list of known 
emails.

Ken Robinson wrote:

>At 06:32 AM 9/23/2005, Hans Zaunere wrote:
>  
>
>>Perhaps there's been a small decline in attempts, but they're still going
>>strong.  I'm seeing about two dozen a day across a couple of forms.
>>    
>>
>
>Just got a bunch of attempts from "Remote Address:202.101.173.68".
>
>Ken
>
>  
>
_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org



From 1j0lkq002 at sneakemail.com  Fri Sep 23 17:11:00 2005
From: 1j0lkq002 at sneakemail.com (inforequest)
Date: Fri, 23 Sep 2005 14:11:00 -0700
Subject: [nycphp-talk] Geoselect alternatives?
In-Reply-To: <4333CA8D.7090201@gmail.com>
References: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>
	<4333CA8D.7090201@gmail.com>
Message-ID: <23118-60644@sneakemail.com>

(just goes to show how a mention on the NYPHP list gets a product 
immediate attention!)

I checked out Geoselect.com for their geo-location service and it looks 
good. Nice package, and great presentation, and very considerate $49 
developer license.  I currently work with Tigerline via custom code, but 
I would very much prefer to let a company maintain this portion (exactly 
like Geoselect purports to). However, it is to expensive for multiple 
very high traffic sites. I also would ant code access to insert open 
proxy checks and such.

What open source options are there to do what GeoSelect does? (resolve 
IP to City, State, Country, Lat, Long) server side in meory, with 
caching, perhaps placing the values in server vars like GeoSelect does? 
Maybe there is not yet a comprehensive (quality) IP to Geo database 
being maintained open source?

Thanks for any help.

-=john andrews
http://www.seo-fun.com














From 1j0lkq002 at sneakemail.com  Fri Sep 23 17:43:58 2005
From: 1j0lkq002 at sneakemail.com (inforequest)
Date: Fri, 23 Sep 2005 14:43:58 -0700
Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection
In-Reply-To: <Pine.BSF.4.58.0509231229000.94568@emra.pair.com>
References: <0MKp2t-1EIknW2BEN-0006Gg@mrelay.perfora.net>
	<Pine.BSF.4.58.0509231229000.94568@emra.pair.com>
Message-ID: <6557-14800@sneakemail.com>

David Mintz dmintz-at-davidmintz.org |nyphp dev/internal group use| wrote:

>On Fri, 23 Sep 2005, Hans Zaunere wrote:
>
>  
>
>>However for this particular exploit, it's easy to prevent.  It's simply not
>>possible for this exploit to work without the Content-Type: string.
>>Searched for, in a case-insensitive manner, across all submitted form
>>fields, will detect and thrawt this exploit immediately.
>>
>>    
>>
>
>Yes, and I gratefully borrowed your snippet to tighten up a couple of my
>own scripts. The only conceivable drawback is that if user input is
>destined to become the message body -- a textarea for the user
>to type a message -- and for some reason the user legitimately wants to
>say something like "Have you guys heard about the Content-type:
>attack?" Granted, it's unusual, but still... Kind of like the caveat
>against training Spamassassin with ham that discusses spam.
>
>---
>David Mintz
>http://davidmintz.org/
>  
>

You might consider an old SEO trick and just swap in an invalid version 
of thet string, that still makes sense to the reader. Perhaps relacing

"Content-type:" with "Content-type (colon)" for example, leaves it in the text but not functional.

-=john andrews
http://www.seo-fun.com




From lists at zaunere.com  Fri Sep 23 19:33:38 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Fri, 23 Sep 2005 19:33:38 -0400
Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection
In-Reply-To: <6557-14800@sneakemail.com>
Message-ID: <0MKoyl-1EIx2y2oN1-0002rh@mrelay.perfora.net>



inforequest wrote on Friday, September 23, 2005 5:44 PM:
> David Mintz dmintz-at-davidmintz.org |nyphp dev/internal group use|
> wrote: 
> 
> > On Fri, 23 Sep 2005, Hans Zaunere wrote:
> > 
> > 
> > 
> > > However for this particular exploit, it's easy to prevent.  It's
> > > simply not possible for this exploit to work without the
> > > Content-Type: string. Searched for, in a case-insensitive manner,
> > > across all submitted form fields, will detect and thrawt this
> > > exploit immediately. 
> > > 
> > > 
> > > 
> > 
> > Yes, and I gratefully borrowed your snippet to tighten up a couple
> > of my own scripts. The only conceivable drawback is that if user
> > input is destined to become the message body -- a textarea for the
> > user 
> > to type a message -- and for some reason the user legitimately
> > wants to say something like "Have you guys heard about the
> > Content-type: attack?" Granted, it's unusual, but still... Kind of
> > like the caveat against training Spamassassin with ham that
> > discusses spam.

The small snippet does check every submitted form field, so this could be an
issue, albeit in the years-of-web-development-never-seen-this-as-a-problem
department.

The other side of this, however, is the MailProtect.inc class I posted
earlier.  It only check header fields, which is the area of concern.  A
Content-Type: in the body isn't a problem in this case, so MailProtect.inc
(anyone played with it yet?) would be the better solution. 

> You might consider an old SEO trick and just swap in an invalid version 
> of thet string, that still makes sense to the reader. Perhaps relacing
> 
> "Content-type:" with "Content-type (colon)" for example, leaves it in
> the text but not functional.

And that would solve it, assuming the first bit of code.


---
Hans Zaunere / President / New York PHP
   www.nyphp.org  /  www.nyphp.com




From shiflett at php.net  Sat Sep 24 00:17:32 2005
From: shiflett at php.net (Chris Shiflett)
Date: Sat, 24 Sep 2005 00:17:32 -0400
Subject: [nycphp-talk] Phundamentals Title Change: Email Header Injection
In-Reply-To: <Pine.BSF.4.58.0509231229000.94568@emra.pair.com>
References: <0MKp2t-1EIknW2BEN-0006Gg@mrelay.perfora.net>
	<Pine.BSF.4.58.0509231229000.94568@emra.pair.com>
Message-ID: <4334D35C.3020401@php.net>

David Mintz wrote:
> The only conceivable drawback is that if user input is destined to
> become the message body -- a textarea for the user to type a
> message -- and for some reason the user legitimately wants to say
> something like "Have you guys heard about the Content-type:
> attack?" Granted, it's unusual

It just happened. :-)

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/


From andrew at plexpod.com  Sat Sep 24 00:30:22 2005
From: andrew at plexpod.com (Andrew Yochum)
Date: Sat, 24 Sep 2005 00:30:22 -0400
Subject: [nycphp-talk] Geoselect alternatives?
In-Reply-To: <23118-60644@sneakemail.com>
References: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>
	<4333CA8D.7090201@gmail.com> <23118-60644@sneakemail.com>
Message-ID: <20050924043021.GA15749@desario.homelinux.net>

John,

On Fri, Sep 23, 2005 at 02:11:00PM -0700, inforequest wrote:
> What open source options are there to do what GeoSelect does? (resolve 
> IP to City, State, Country, Lat, Long) server side in meory, with 
> caching, perhaps placing the values in server vars like GeoSelect does? 
> Maybe there is not yet a comprehensive (quality) IP to Geo database 
> being maintained open source?

There wasn't that I was aware of until poking around a bit tonight...

I've used the perl Geo::IPfree module in the past, but can't speak to
the data's thoroughness or quality.  I was interested in rough aggregate
quick and dirty stats at the time (a while back now), and I got this one
working very quickly.  It only does IP->Country stuff, so not really
what you want.
    http://search.cpan.org/~gmpassos/Geo-IPfree-0.2/lib/Geo/IPfree.pm

There are also seem various methods of accessing the freely available
MaxMind from within PHP now.
    http://www.maxmind.com/app/php
    http://www.maxmind.com/geoip/api/c.shtml
    http://www.maxmind.com/download/geoip/database/
Also, only IP->Country - at least, in open source, that is.  Including
their PEAR package for PHP 5 that seems to allow you to use their
commercial DB for more granular data:
    http://pear.php.net/pepr/pepr-proposal-show.php?id=91

And in looking at that stuff just now I noticed right next door to it in
PEAR is the Net_Geo PEAR package which seems to maybe do just what you
want using CAIDA database:
    http://pear.php.net/package/Net_Geo/
    http://www.caida.org/
I just played around with it a bit and found it very easy to use, and
reasonably accurate in locating a few IPs I threw at it.  It tells you
the granularity of the result, too.  It makes a remote HTTP request to a
CGI on the CAIDA site and caches the results.  Uncached queries
certainly lag a bit.  It could do the trick depending on your needs.

HTH,
Andrew
-- 
Andrew Yochum
Plexpod
andrew at plexpod.com
718-360-0879


From shiflett at php.net  Sat Sep 24 01:40:08 2005
From: shiflett at php.net (Chris Shiflett)
Date: Sat, 24 Sep 2005 01:40:08 -0400
Subject: [nycphp-talk] Geoselect alternatives?
In-Reply-To: <20050924043021.GA15749@desario.homelinux.net>
References: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>
	<4333CA8D.7090201@gmail.com> <23118-60644@sneakemail.com>
	<20050924043021.GA15749@desario.homelinux.net>
Message-ID: <4334E6B8.4040309@php.net>

Andrew Yochum wrote:
> There are also seem various methods of accessing the freely available
> MaxMind from within PHP now.

I've used this with great success for some pretty busy work (more than 
10 million lookups a day). If your needs are more demanding, I think 
they also have an Apache module.

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/


From andrew at plexpod.com  Sat Sep 24 06:38:34 2005
From: andrew at plexpod.com (Andrew Yochum)
Date: Sat, 24 Sep 2005 06:38:34 -0400
Subject: [nycphp-talk] Geoselect alternatives?
In-Reply-To: <4334E6B8.4040309@php.net>
References: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>
	<4333CA8D.7090201@gmail.com> <23118-60644@sneakemail.com>
	<20050924043021.GA15749@desario.homelinux.net>
	<4334E6B8.4040309@php.net>
Message-ID: <20050924103832.GD15749@desario.homelinux.net>

On Sat, Sep 24, 2005 at 01:40:08AM -0400, Chris Shiflett wrote:
> Andrew Yochum wrote:
> > There are also seem various methods of accessing the freely available
> > MaxMind from within PHP now.
> 
> I've used this with great success for some pretty busy work (more than 
> 10 million lookups a day). If your needs are more demanding, I think 
> they also have an Apache module.

Just curious... Were you using the free "country" database or the
commercial db w/ city level data?

Andrew
-- 
Andrew Yochum
Plexpod
andrew at plexpod.com
718-360-0879


From jeff.siegel at nyphp.org  Sat Sep 24 16:42:50 2005
From: jeff.siegel at nyphp.org (Jeff Siegel)
Date: Sat, 24 Sep 2005 16:42:50 -0400
Subject: [nycphp-talk] Phundamental: Email Header Injection Exploit - Revised
Message-ID: <0INC00C079JOM3D0@mta3.srv.hcvlny.cv.net>

An extensively revised PHundamental has been posted. As always, comments and
suggestions are welcome. 
 
See: http://www.nyphp.org/phundamentals/email_header_injection.php


Jeff Siegel
NYPHP PHundamentals



From 1j0lkq002 at sneakemail.com  Sat Sep 24 17:15:13 2005
From: 1j0lkq002 at sneakemail.com (inforequest)
Date: Sat, 24 Sep 2005 14:15:13 -0700
Subject: [nycphp-talk] Geoselect alternatives?
In-Reply-To: <20050924043021.GA15749@desario.homelinux.net>
References: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>	<4333CA8D.7090201@gmail.com>
	<23118-60644@sneakemail.com>
	<20050924043021.GA15749@desario.homelinux.net>
Message-ID: <14305-63499@sneakemail.com>

Andrew Yochum andrew-at-plexpod.com |nyphp dev/internal group use| wrote:

>John,
>
>On Fri, Sep 23, 2005 at 02:11:00PM -0700, inforequest wrote:
>  
>
>>What open source options are there to do what GeoSelect does? (resolve 
>>IP to City, State, Country, Lat, Long) server side in meory, with 
>>caching, perhaps placing the values in server vars like GeoSelect does? 
>>Maybe there is not yet a comprehensive (quality) IP to Geo database 
>>being maintained open source?
>>    
>>
>
>There wasn't that I was aware of until poking around a bit tonight...
>
>I've used the perl Geo::IPfree module in the past, but can't speak to
>the data's thoroughness or quality.  I was interested in rough aggregate
>quick and dirty stats at the time (a while back now), and I got this one
>working very quickly.  It only does IP->Country stuff, so not really
>what you want.
>    http://search.cpan.org/~gmpassos/Geo-IPfree-0.2/lib/Geo/IPfree.pm
>
>There are also seem various methods of accessing the freely available
>MaxMind from within PHP now.
>    http://www.maxmind.com/app/php
>    http://www.maxmind.com/geoip/api/c.shtml
>    http://www.maxmind.com/download/geoip/database/
>Also, only IP->Country - at least, in open source, that is.  Including
>their PEAR package for PHP 5 that seems to allow you to use their
>commercial DB for more granular data:
>    http://pear.php.net/pepr/pepr-proposal-show.php?id=91
>
>And in looking at that stuff just now I noticed right next door to it in
>PEAR is the Net_Geo PEAR package which seems to maybe do just what you
>want using CAIDA database:
>    http://pear.php.net/package/Net_Geo/
>    http://www.caida.org/
>I just played around with it a bit and found it very easy to use, and
>reasonably accurate in locating a few IPs I threw at it.  It tells you
>the granularity of the result, too.  It makes a remote HTTP request to a
>CGI on the CAIDA site and caches the results.  Uncached queries
>certainly lag a bit.  It could do the trick depending on your needs.
>
>HTH,
>Andrew
>  
>
thanks Andrew.

I know maxmind from MaxMedia, but not using city yet (and not stable 
yet).I'll look a the PHP interfaces now.

CAIDA site says "*NOTE: NetGeo has not been actively maintained for 
/several years/, and this will probably not change in the foreseeable 
future. As a result, there are several known major issues affecting 
accuracy and service availability. Please be warned that NetGeo may give 
/wildly incorrect/ results, especially for recently allocated or 
re-assigned IP addresses."

It fails to an ARIN Whois lookup also...

-=john andrews
http://www.seo-fun.com



*


From shiflett at php.net  Sat Sep 24 23:51:43 2005
From: shiflett at php.net (Chris Shiflett)
Date: Sat, 24 Sep 2005 23:51:43 -0400
Subject: [nycphp-talk] Geoselect alternatives?
In-Reply-To: <20050924103832.GD15749@desario.homelinux.net>
References: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>
	<4333CA8D.7090201@gmail.com> <23118-60644@sneakemail.com>
	<20050924043021.GA15749@desario.homelinux.net>
	<4334E6B8.4040309@php.net>
	<20050924103832.GD15749@desario.homelinux.net>
Message-ID: <43361ECF.8030002@php.net>

Andrew Yochum wrote:
> Just curious... Were you using the free "country" database
> or the commercial db w/ city level data?

Just the free one. It had trouble with some stuff (most of the problem 
areas are known and supposedly addressed in the non-free versions), but 
we found it to be fast enough to fit our needs and accurate enough to be 
useful.

What originally caught my eye when we were searching around:

1. MySQL AB was using it.
2. Jim Winstead wrote the PHP library for it.
3. It was free.

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/


From andrew at plexpod.com  Sun Sep 25 08:26:52 2005
From: andrew at plexpod.com (Andrew Yochum)
Date: Sun, 25 Sep 2005 08:26:52 -0400
Subject: [nycphp-talk] Geoselect alternatives?
In-Reply-To: <14305-63499@sneakemail.com>
References: <Pine.BSF.4.58.0509221200590.16813@emra.pair.com>
	<4333CA8D.7090201@gmail.com> <23118-60644@sneakemail.com>
	<20050924043021.GA15749@desario.homelinux.net>
	<14305-63499@sneakemail.com>
Message-ID: <20050925122650.GG15749@desario.homelinux.net>

On Sat, Sep 24, 2005 at 02:15:13PM -0700, inforequest wrote:
> CAIDA site says "*NOTE: NetGeo has not been actively maintained for 
> /several years/, and this will probably not change in the foreseeable 
> future. As a result, there are several known major issues affecting 
> accuracy and service availability. Please be warned that NetGeo may give 
> /wildly incorrect/ results, especially for recently allocated or 
> re-assigned IP addresses."
> 
> It fails to an ARIN Whois lookup also...

Good sleuthing.  Thanks for the info.

Andrew

-- 
Andrew Yochum
Plexpod
andrew at plexpod.com
718-360-0879


From hans at cyberxdesigns.com  Mon Sep 26 09:55:53 2005
From: hans at cyberxdesigns.com (Hans C. Kaspersetz)
Date: Mon, 26 Sep 2005 09:55:53 -0400
Subject: [nycphp-talk] August Presentation Posted
Message-ID: <4337FDE9.5000009@cyberxdesigns.com>

 From the better late then never department, we have posted the August 
presentation, audio and photos.

Presentation: http://www.nyphp.org/content/presentations/index.php
Audio: http://www.nyphp.org/content/mp3/nyphp082305.mp3
Photos: 
http://www.nyphp.org/content/gallery/view_album.php?set_albumName=aug05

Your humble presentation lacky,
Hans Kaspersetz
hans.kaspersetz at nyphp.org
http://www.cyberxdesigns.com

----------------------------------- Presentation Blurb 
-----------------------------------

Internal NYPHP Presentation, August 22, 2005
Tools for Writing Better Code-Part 1

It's August, it's hot and everyone is either on vacation or too 
delusional from the heat to get any serious work done - including us, 
considering how long it took us to post this! What better opportunity to 
present the first part of our long awaited series on writing better PHP 
code. Join the New York PHP core developers as we present some of the 
tools we use to enhance the single or multi-developer environment.

President Hans Zaunere will present on using Windows XP to development 
remotely with Eclipse / PHP and Subversion (.PPT). Exposing concepts 
such as how to get Windows to talk to a remote Webdav / Subversion 
server, and brief examples of the improved workflow, this is sure to 
improve your development with the Windows client.

Vice President Jeff Knight and Core Developer Andrew Yochum will team up 
to explore why Subversion is an excellent choice for Version and Source 
Control, and the choice internally at New York PHP. Further they will 
demonstrate how Subversion can be used to manage multiple projects and 
developers as well as development and production environments.

With any time left over, we'd like to offer the opportunity to bring the 
Talk list face to face. Come prepared with your questions / problems and 
solutions and we'll open up the floor to discuss your topics.


From codebowl at gmail.com  Mon Sep 26 19:57:45 2005
From: codebowl at gmail.com (Joseph Crawford)
Date: Mon, 26 Sep 2005 19:57:45 -0400
Subject: [nycphp-talk] Zend Debugger
Message-ID: <8d9a42800509261657407b9a3f@mail.gmail.com>

I am trying out the beta of zend studio, i am trying to run the studio
server debugger, when i login to the studio server web interface i get
errors about the ini_modifier, so i executed from the command line and i get
the error that the ini directory is not writable, my question is where is
this ini directory??

--
Joseph Crawford Jr.
Zend Certified Engineer
Codebowl Solutions, Inc.
1-802-671-2021
codebowl at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050926/19d3aaaf/attachment.html>

From mikko.rantalainen at peda.net  Tue Sep 27 08:03:44 2005
From: mikko.rantalainen at peda.net (Mikko Rantalainen)
Date: Tue, 27 Sep 2005 15:03:44 +0300
Subject: [nycphp-talk] worm/virus's hammering
	feedback	scripts?POLISHEDVERSION
In-Reply-To: <0MKoyl-1EIlrN2ryD-0004IS@mrelay.perfora.net>
References: <0MKoyl-1EIlrN2ryD-0004IS@mrelay.perfora.net>
Message-ID: <43393520.3050600@peda.net>

Hans Zaunere wrote:
> matthijs abeelen scribbled on Thursday, September 15, 2005 2:04 AM:
> 
>>This problem is spreading very fast, a good summery of the best
>>solution(s) is needed indeed. Unfortunately, I'm not the one who can
>>do that. Waiting eagerly for the article on Phundamentals!  
> 
> We're working on it.
> 
> And I've attached what a first stab at a PHP 5 class would look like, with
> example usage here:
> 
> $MyMail = new MailProtect;
> $MyMail->SetFrom($_POST['From']);
> $MyMail->SetTo($_POST['To']);
> $MyMail->SetCc('admin at somwhere.com');
> $MyMail->SetSubject($_POST['Subject']);
> $MyMail->SetBody('Thank you for your submission!');
> 
> if( $MyMail->SendMail() === TRUE )
>     echo 'Mail Sent';
> else
>     echo 'WARNING: Header validation failed; possible exploitation attempt';

How about

$MyMail->addTo(...);
$MyMail->addCc(...);
$MyMail->addBcc(...);

instead of setXXX() variants? From, Subject and Body always have 
exactly one value but To, Cc and Bcc fields can contain multiple 
items. If the protecting wrapper class forces one to add a single 
recipient at a time misuse of these fields is a bit harder by mistake.

Also, I'd prefer those methods to accept two parameters instead of 
just one. For example,

function addTo($email,$display_name="") {...}

So that user of this class never needs to encode any special 
characters or merge display name and email in the same string.

I'd add $MyMail->addHeader($name,$value) for adding a single 
additional header too.

-- 
Mikko


From dcech at phpwerx.net  Tue Sep 27 08:13:01 2005
From: dcech at phpwerx.net (Dan Cech)
Date: Tue, 27 Sep 2005 08:13:01 -0400
Subject: [nycphp-talk] worm/virus's
	hammering	feedback	scripts?POLISHEDVERSION
In-Reply-To: <43393520.3050600@peda.net>
References: <0MKoyl-1EIlrN2ryD-0004IS@mrelay.perfora.net>
	<43393520.3050600@peda.net>
Message-ID: <4339374D.4000107@phpwerx.net>

I'd advise checking out phpmailer (http://phpmailer.sourceforge.net/). I 
haven't had a chance to look into it from a security perspective, but it 
does support almost every feature you could desire for sending email.

If there are security issues then I would suggest working on securing 
this existing and very mature product rather than rolling your own. 
Also, it is released under the LGPL so using it in commercial 
applications should not be a problem.

Dan

Mikko Rantalainen wrote:
> Hans Zaunere wrote:
> 
>>matthijs abeelen scribbled on Thursday, September 15, 2005 2:04 AM:
>>
>>
>>>This problem is spreading very fast, a good summery of the best
>>>solution(s) is needed indeed. Unfortunately, I'm not the one who can
>>>do that. Waiting eagerly for the article on Phundamentals!  
>>
>>We're working on it.
>>
>>And I've attached what a first stab at a PHP 5 class would look like, with
>>example usage here:
>>
>>$MyMail = new MailProtect;
>>$MyMail->SetFrom($_POST['From']);
>>$MyMail->SetTo($_POST['To']);
>>$MyMail->SetCc('admin at somwhere.com');
>>$MyMail->SetSubject($_POST['Subject']);
>>$MyMail->SetBody('Thank you for your submission!');
>>
>>if( $MyMail->SendMail() === TRUE )
>>    echo 'Mail Sent';
>>else
>>    echo 'WARNING: Header validation failed; possible exploitation attempt';
> 
> 
> How about
> 
> $MyMail->addTo(...);
> $MyMail->addCc(...);
> $MyMail->addBcc(...);
> 
> instead of setXXX() variants? From, Subject and Body always have 
> exactly one value but To, Cc and Bcc fields can contain multiple 
> items. If the protecting wrapper class forces one to add a single 
> recipient at a time misuse of these fields is a bit harder by mistake.
> 
> Also, I'd prefer those methods to accept two parameters instead of 
> just one. For example,
> 
> function addTo($email,$display_name="") {...}
> 
> So that user of this class never needs to encode any special 
> characters or merge display name and email in the same string.
> 
> I'd add $MyMail->addHeader($name,$value) for adding a single 
> additional header too.
> 



From mwithington at PLMresearch.com  Tue Sep 27 17:04:49 2005
From: mwithington at PLMresearch.com (Mark Withington)
Date: Tue, 27 Sep 2005 17:04:49 -0400
Subject: [nycphp-talk] Project management solutions
Message-ID: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE3580135531C@network.PLMresearch.com>

I'm on the front-end of a research project to locate "good" PHP project
management solutions.  So far I've identified the following candidates.
Does anyone have experience with

PHProjekt http://www.phprojekt.com/	
DOTproject http://www.dotproject.net/	
Netoffice http://netoffice.sourceforge.net 
TUTOS http://www.tutos.org	
more.groupware http://mgw.k-fish.de/
phpGroupWare http://www.phpgroupware.org/

Any ones that I've missed?

Thanks in advance,

Mark

--------------------------
Mark L. Withington
PLMresearch
"eBusiness for the Midsize Enterprise"
PO Box 1354
Plymouth, MA  02362
o: 800-310-3992 ext. 704
f: 508-746-4973
v: 508-746-2383
m: 508-801-0181
http://www.PLMresearch.com
AIM/MSN/Skype: PLMresearch
Yahoo:  PLMresearch2000
mwithington at plmresearch.com
Public Key: http://www.plmresearch.com/keys/MLW_public_key.asc
Calendar: http://www.plmresearch.com/calendar.php


From matt at jiffycomp.com  Tue Sep 27 21:27:49 2005
From: matt at jiffycomp.com (Matt Morgan)
Date: Tue, 27 Sep 2005 21:27:49 -0400
Subject: [nycphp-talk] Project management solutions
In-Reply-To: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE3580135531C@network.PLMresearch.com>
References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE3580135531C@network.PLMresearch.com>
Message-ID: <4339F195.2010307@jiffycomp.com>

Mark Withington wrote:

>I'm on the front-end of a research project to locate "good" PHP project
>management solutions.  So far I've identified the following candidates.
>Does anyone have experience with
>
>PHProjekt http://www.phprojekt.com/	
>DOTproject http://www.dotproject.net/	
>Netoffice http://netoffice.sourceforge.net 
>TUTOS http://www.tutos.org	
>more.groupware http://mgw.k-fish.de/
>phpGroupWare http://www.phpgroupware.org/
>
>Any ones that I've missed?
>  
>
Last I checked, which was about 9 months ago, eGroupware was not so 
strong in project management but they have a new version coming out soon 
that will have it. Otherwise, they're a feature-rich and pretty 
well-supported php groupware package (http://egroupware.org).


From andrew at plexpod.com  Tue Sep 27 22:45:51 2005
From: andrew at plexpod.com (Andrew Yochum)
Date: Tue, 27 Sep 2005 22:45:51 -0400
Subject: [nycphp-talk] Project management solutions
In-Reply-To: <4339F195.2010307@jiffycomp.com>
References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE3580135531C@network.PLMresearch.com>
	<4339F195.2010307@jiffycomp.com>
Message-ID: <20050928024551.GY15749@desario.homelinux.net>

On Tue, Sep 27, 2005 at 09:27:49PM -0400, Matt Morgan wrote:
> Last I checked, which was about 9 months ago, eGroupware was not so 
> strong in project management but they have a new version coming out soon 
> that will have it. Otherwise, they're a feature-rich and pretty 
> well-supported php groupware package (http://egroupware.org).

FWIW, there is also Kontact support in eGroupware for you Linux desktop
users:
    http://www.kontact.org/groupwareservers.php
Not PM per-se stuff, but certainly a valuable feature.

Andrew
-- 
Andrew Yochum
Plexpod
andrew at plexpod.com
718-360-0879


From greg.rundlett at gmail.com  Tue Sep 27 22:47:15 2005
From: greg.rundlett at gmail.com (Greg Rundlett)
Date: Tue, 27 Sep 2005 22:47:15 -0400
Subject: [nycphp-talk] [Bostonphptalk] Project management solutions
In-Reply-To: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE3580135531C@network.PLMresearch.com>
References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE3580135531C@network.PLMresearch.com>
Message-ID: <5e2aaca405092719477f03e2ad@mail.gmail.com>

On 9/27/05, Mark Withington <mwithington at plmresearch.com> wrote:
>
> I'm on the front-end of a research project to locate "good" PHP project
> management solutions. So far I've identified the following candidates.
> Does anyone have experience with


There is BaseCamp[1], which is a hosted solution so I don't think you can
get the code. When I created the Virtual Incubator[2], I used a project
called OPT[3], which works very well and is focused on project management
(not other 'groupware' stuff) but unfortunately it's not actively
maintained, and there may be known security vulnerabilities so if you want
to put it into production you may have to track those down. One plus is that
Guy Davis added CVS integration to it.
[1] http://basecamphq.com/
[2] http://nhvbi.buzgate.org/opt/index.php
[3] http://www.guydavis.ca/projects/oss/opt/index.jsp and the
sourceforge.net <http://sourceforge.net> project page.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050927/fe7d4e24/attachment.html>

From sreegchn at gmail.com  Wed Sep 28 05:07:41 2005
From: sreegchn at gmail.com (Sreenath G)
Date: Wed, 28 Sep 2005 14:37:41 +0530
Subject: [nycphp-talk] Free PHP Webspace
Message-ID: <9bd933520509280207275444e2@mail.gmail.com>

Hi all,

Can anyone tell me a good site offering 50-100MB(or more) Free Webspace with
PHP and MySQL.
--
regards
Sreenath.G
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050928/9048c906/attachment.html>

From codebowl at gmail.com  Wed Sep 28 08:48:49 2005
From: codebowl at gmail.com (Joseph Crawford)
Date: Wed, 28 Sep 2005 08:48:49 -0400
Subject: [nycphp-talk] Free PHP Webspace
In-Reply-To: <9bd933520509280207275444e2@mail.gmail.com>
References: <9bd933520509280207275444e2@mail.gmail.com>
Message-ID: <8d9a428005092805487dbf2e78@mail.gmail.com>

last i knew .Geek was a good place, i am not sure if they are still offering
it but they did when PHP5 was first released.
www.dotgeek.org<http://www.dotgeek.org>

other than that, check google, i am sure there are many other sites that
offer free space with banner ad's etc..

lunarpages has a cheap package i think it's $7/mo if you can manage that.

--
Joseph Crawford Jr.
Zend Certified Engineer
Codebowl Solutions, Inc.
1-802-671-2021
codebowl at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050928/9e7db554/attachment.html>

From Consult at CovenantEDesign.com  Wed Sep 28 08:54:31 2005
From: Consult at CovenantEDesign.com (CED)
Date: Wed, 28 Sep 2005 08:54:31 -0400
Subject: [nycphp-talk] Free PHP Webspace
References: <9bd933520509280207275444e2@mail.gmail.com>
Message-ID: <01a701c5c42b$c538d0c0$0319a8c0@ced>

My desktop. =D
  ----- Original Message ----- 
  From: Sreenath G 
  To: NYPHP Talk 
  Sent: Wednesday, September 28, 2005 5:07 AM
  Subject: [nycphp-talk] Free PHP Webspace


  Hi all,

               Can anyone tell me a good site offering 50-100MB(or more) Free Webspace with PHP and MySQL.
  -- 
                                                regards 
                                              Sreenath.G 


------------------------------------------------------------------------------


  _______________________________________________
  New York PHP Talk Mailing List
  AMP Technology
  Supporting Apache, MySQL and PHP
  http://lists.nyphp.org/mailman/listinfo/talk
  http://www.nyphp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050928/eac14863/attachment.html>

From aaron at aarond.com  Wed Sep 28 12:57:57 2005
From: aaron at aarond.com (aaron at aarond.com)
Date: Wed, 28 Sep 2005 12:57:57 -0400
Subject: [nycphp-talk] Audubon Flash/PHP Map
Message-ID: <20050928125757.c36byl6sdlkkcs44@208.179.130.20>

Hey guys, I could use some feedback on this page. It's a flash/php/oracle app
that dynamically plots points on a map based on long/lat info for each contact
in the db. It may be a little slow loading, but if it's REALLY slow please let
me know.

(A co-worker of mine developed the app, I just helped out on a few small items
and feedback)

http://www.audubon.org/states/flashMap.php

Thanks!!
Aaron D.


From yournway at gmail.com  Wed Sep 28 13:19:38 2005
From: yournway at gmail.com (Alberto dos Santos)
Date: Wed, 28 Sep 2005 18:19:38 +0100
Subject: [nycphp-talk] Audubon Flash/PHP Map
In-Reply-To: <20050928125757.c36byl6sdlkkcs44@208.179.130.20>
References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20>
Message-ID: <edce5765050928101967cdde43@mail.gmail.com>

Loads pretty fast.
it?s nice, though I would like to have a hand over the map allowing me to
move it as I please.

That said, Nice Work!

On 28/09/05, aaron at aarond.com <aaron at aarond.com> wrote:
>
> Hey guys, I could use some feedback on this page. It's a flash/php/oracle
> app
> that dynamically plots points on a map based on long/lat info for each
> contact
> in the db. It may be a little slow loading, but if it's REALLY slow please
> let
> me know.
>
> (A co-worker of mine developed the app, I just helped out on a few small
> items
> and feedback)
>
> http://www.audubon.org/states/flashMap.php
>
> Thanks!!
> Aaron D.
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
>



--
Alberto dos Santos
Consultor em TI
IT Consultant

http://www.yournway.com
A internet ? sua maneira.
The Internet your own way.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050928/83130581/attachment.html>

From coling at macmicro.com  Wed Sep 28 13:55:51 2005
From: coling at macmicro.com (Colin Goldberg)
Date: Wed, 28 Sep 2005 13:55:51 -0400
Subject: [nycphp-talk] Audubon Flash/PHP Map
In-Reply-To: <20050928125757.c36byl6sdlkkcs44@208.179.130.20>
References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20>
Message-ID: <433AD927.2040307@macmicro.com>

An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050928/3122db53/attachment.html>

From edwardpotter at gmail.com  Wed Sep 28 15:04:01 2005
From: edwardpotter at gmail.com (edward potter)
Date: Wed, 28 Sep 2005 15:04:01 -0400
Subject: [nycphp-talk] Audubon Flash/PHP Map
In-Reply-To: <20050928125757.c36byl6sdlkkcs44@208.179.130.20>
References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20>
Message-ID: <c5949a3805092812046c1aeb41@mail.gmail.com>

Hi,

seemed to load ok to me. I'm taking a grad school Flash course now.

After 5 years, I've been converted to Flash, I'm now a total Flash
crazed php programmer.  It's UNBELIEVABLE what you can do now with
Flash, blew my mind.  And as I say, it took years to convert me.  I've
joined the Flash cult, some of the demos I've been show are AMAZING,
and now with an open source compiler, wow!

Before:
FLASH IS TERRIBLE, IT BREAKS ALL THE RULES, IT SUCKS!  NEVER USE FLASH.

After cult immersion tactics!  :-)

FLASH IS GOD, FLASH IS GOD, FLASH IS GOD

-ed

On 9/28/05, aaron at aarond.com <aaron at aarond.com> wrote:
> Hey guys, I could use some feedback on this page. It's a flash/php/oracle app
> that dynamically plots points on a map based on long/lat info for each contact
> in the db. It may be a little slow loading, but if it's REALLY slow please let
> me know.
>
> (A co-worker of mine developed the app, I just helped out on a few small items
> and feedback)
>
> http://www.audubon.org/states/flashMap.php
>
> Thanks!!
> Aaron D.
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
>


From joshmccormack at travelersdiary.com  Wed Sep 28 16:21:39 2005
From: joshmccormack at travelersdiary.com (Josh McCormack)
Date: Wed, 28 Sep 2005 16:21:39 -0400
Subject: [nycphp-talk] Project management solutions
In-Reply-To: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE3580135531C@network.PLMresearch.com>
References: <1F3CD8DDFB6A9B4C9B8DD06E4A7DE3580135531C@network.PLMresearch.com>
Message-ID: <433AFB53.5060703@travelersdiary.com>

How about Task Juggler (http://www.taskjuggler.org/), which I believe 
integrates with KDE stuff like their groupware, Kolab, as well as 
Kontact, etc.

Josh

Mark Withington wrote:

> I'm on the front-end of a research project to locate "good" PHP project
> management solutions.  So far I've identified the following candidates.
> Does anyone have experience with
> 
> PHProjekt http://www.phprojekt.com/	
> DOTproject http://www.dotproject.net/	
> Netoffice http://netoffice.sourceforge.net 
> TUTOS http://www.tutos.org	
> more.groupware http://mgw.k-fish.de/
> phpGroupWare http://www.phpgroupware.org/
> 
> Any ones that I've missed?
> 
> Thanks in advance,
> 
> Mark
> 
> --------------------------
> Mark L. Withington
> PLMresearch
> "eBusiness for the Midsize Enterprise"
> PO Box 1354
> Plymouth, MA  02362
> o: 800-310-3992 ext. 704
> f: 508-746-4973
> v: 508-746-2383
> m: 508-801-0181
> http://www.PLMresearch.com
> AIM/MSN/Skype: PLMresearch
> Yahoo:  PLMresearch2000
> mwithington at plmresearch.com
> Public Key: http://www.plmresearch.com/keys/MLW_public_key.asc
> Calendar: http://www.plmresearch.com/calendar.php
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
> 


From jellicle at gmail.com  Wed Sep 28 17:41:46 2005
From: jellicle at gmail.com (Michael Sims)
Date: Wed, 28 Sep 2005 17:41:46 -0400
Subject: [nycphp-talk] mysqli errors
Message-ID: <200509281741.46464.jellicle@gmail.com>


The mysqli extension works nicely for accessing MySQL from PHP.  However, 
it throws warnings like a Mardi Gras float throws beads.

"Warning: mysqli::query(): No index used in query/prepared statement ..."

Some SELECT statements cannot use an index.  "SELECT foo FROM bar" doesn't 
use an index, because you want all the rows.  That doesn't stop mysqli 
from giving this warning, though.  Sometimes mysqli gives this warning 
even when MySQL is apparently using an index (i.e. the same query, 
executed with EXPLAIN, says it's using an index).  Shouldn't this be a 
notice rather than a warning anyway?  It's not an error that your query 
isn't using an index...

Question: what's the easiest and best way to get mysqli to shut up about no 
index being used?  I generally want to see errors, other warnings and 
notices, so I can't just turn them off.


Michael Sims


From 1j0lkq002 at sneakemail.com  Wed Sep 28 18:31:45 2005
From: 1j0lkq002 at sneakemail.com (inforequest)
Date: Wed, 28 Sep 2005 15:31:45 -0700
Subject: [nycphp-talk] Audubon Flash/PHP Map
In-Reply-To: <c5949a3805092812046c1aeb41@mail.gmail.com>
References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20>
	<c5949a3805092812046c1aeb41@mail.gmail.com>
Message-ID: <5738-50735@sneakemail.com>

edward potter edwardpotter-at-gmail.com |nyphp dev/internal group use| 
wrote:

>Hi,
>
>seemed to load ok to me. I'm taking a grad school Flash course now.
>
>After 5 years, I've been converted to Flash, I'm now a total Flash
>crazed php programmer.  It's UNBELIEVABLE what you can do now with
>Flash, blew my mind.  And as I say, it took years to convert me.  I've
>joined the Flash cult, some of the demos I've been show are AMAZING,
>and now with an open source compiler, wow!
>
>Before:
>FLASH IS TERRIBLE, IT BREAKS ALL THE RULES, IT SUCKS!  NEVER USE FLASH.
>
>After cult immersion tactics!  :-)
>
>FLASH IS GOD, FLASH IS GOD, FLASH IS GOD
>
>-ed
>
>  
>

Hmm... haven't looked at Flash for  while, and Studio 8 is shipping.... 
can you provide a list of tools you use for LAMP + FLash work? Thanks..

-=john andrews
http://www.seo-fun.com

(of course everyone has perused www.BillyHarvey.com, right? ;-)






From joshmccormack at travelersdiary.com  Wed Sep 28 20:18:49 2005
From: joshmccormack at travelersdiary.com (Josh McCormack)
Date: Wed, 28 Sep 2005 20:18:49 -0400
Subject: [nycphp-talk] Audubon Flash/PHP Map
In-Reply-To: <c5949a3805092812046c1aeb41@mail.gmail.com>
References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20>
	<c5949a3805092812046c1aeb41@mail.gmail.com>
Message-ID: <433B32E9.2060408@travelersdiary.com>

I'm all for Flash when it works, but I feel like I'm constantly having 
to talk designers out of using it. It mixes functionality in with code 
and buries it all in a hard to update file. Designers see a need for 
functionality and think Flash. They often think dynamic and robust mean 
animated and.... animated.

Josh

edward potter wrote:

> Hi,
> 
> seemed to load ok to me. I'm taking a grad school Flash course now.
> 
> After 5 years, I've been converted to Flash, I'm now a total Flash
> crazed php programmer.  It's UNBELIEVABLE what you can do now with
> Flash, blew my mind.  And as I say, it took years to convert me.  I've
> joined the Flash cult, some of the demos I've been show are AMAZING,
> and now with an open source compiler, wow!
> 
> Before:
> FLASH IS TERRIBLE, IT BREAKS ALL THE RULES, IT SUCKS!  NEVER USE FLASH.
> 
> After cult immersion tactics!  :-)
> 
> FLASH IS GOD, FLASH IS GOD, FLASH IS GOD
> 
> -ed
> 
> On 9/28/05, aaron at aarond.com <aaron at aarond.com> wrote:
> 
>>Hey guys, I could use some feedback on this page. It's a flash/php/oracle app
>>that dynamically plots points on a map based on long/lat info for each contact
>>in the db. It may be a little slow loading, but if it's REALLY slow please let
>>me know.
>>
>>(A co-worker of mine developed the app, I just helped out on a few small items
>>and feedback)
>>
>>http://www.audubon.org/states/flashMap.php
>>
>>Thanks!!
>>Aaron D.
>>_______________________________________________
>>New York PHP Talk Mailing List
>>AMP Technology
>>Supporting Apache, MySQL and PHP
>>http://lists.nyphp.org/mailman/listinfo/talk
>>http://www.nyphp.org
>>
> 
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
> 


From matt at jiffycomp.com  Wed Sep 28 22:32:48 2005
From: matt at jiffycomp.com (Matt Morgan)
Date: Wed, 28 Sep 2005 22:32:48 -0400
Subject: [nycphp-talk] Audubon Flash/PHP Map
In-Reply-To: <20050928125757.c36byl6sdlkkcs44@208.179.130.20>
References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20>
Message-ID: <433B5250.9070406@jiffycomp.com>

aaron at aarond.com wrote:

>Hey guys, I could use some feedback on this page. It's a flash/php/oracle app
>that dynamically plots points on a map based on long/lat info for each contact
>in the db. It may be a little slow loading, but if it's REALLY slow please let
>me know.
>
>(A co-worker of mine developed the app, I just helped out on a few small items
>and feedback)
>
>http://www.audubon.org/states/flashMap.php
>
>  
>
Hmm, I can't see the map. Only the little help guide. I'm using Firefox 
1.07 on Fedora Core 3. Flash mostly works, otherwise (I have flash 7 
installed).


From greg.rundlett at gmail.com  Wed Sep 28 23:02:03 2005
From: greg.rundlett at gmail.com (Greg Rundlett)
Date: Wed, 28 Sep 2005 23:02:03 -0400
Subject: [nycphp-talk] Audubon Flash/PHP Map
In-Reply-To: <433B5250.9070406@jiffycomp.com>
References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20>
	<433B5250.9070406@jiffycomp.com>
Message-ID: <5e2aaca40509282002797512f4@mail.gmail.com>

> Hmm, I can't see the map. Only the little help guide. I'm using Firefox
> 1.07 on Fedora Core 3. Flash mostly works, otherwise (I have flash 7
> installed).


Broken here too. I get the left half of the map, with a gray area for the
right half. Firefox 1.03 on FC3. Konqueror shows the whole map.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050928/009058a7/attachment.html>

From yournway at gmail.com  Thu Sep 29 03:47:26 2005
From: yournway at gmail.com (Alberto dos Santos)
Date: Thu, 29 Sep 2005 08:47:26 +0100
Subject: [nycphp-talk] Audubon Flash/PHP Map
In-Reply-To: <5e2aaca40509282002797512f4@mail.gmail.com>
References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20>
	<433B5250.9070406@jiffycomp.com>
	<5e2aaca40509282002797512f4@mail.gmail.com>
Message-ID: <edce576505092900472e2b1202@mail.gmail.com>

Oh. Then I might add I was using Firefox 1.0.7 on WinXP.
It all worked fine.

On 29/09/05, Greg Rundlett <greg.rundlett at gmail.com> wrote:
>
>
> Hmm, I can't see the map. Only the little help guide. I'm using Firefox
> > 1.07 on Fedora Core 3. Flash mostly works, otherwise (I have flash 7
> > installed).
>
>
> Broken here too. I get the left half of the map, with a gray area for the
> right half. Firefox 1.03 on FC3. Konqueror shows the whole map.
>
>
>
>
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
>
>


--
Alberto dos Santos
Consultor em TI
IT Consultant

http://www.yournway.com
A internet ? sua maneira.
The Internet your own way.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050929/e5c3232d/attachment.html>

From ken at secdat.com  Thu Sep 29 08:16:42 2005
From: ken at secdat.com (Kenneth Downs)
Date: Thu, 29 Sep 2005 08:16:42 -0400 (EDT)
Subject: [nycphp-talk] Audubon Flash/PHP Map
In-Reply-To: <20050928125757.c36byl6sdlkkcs44@208.179.130.20>
References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20>
Message-ID: <53898.38.117.147.25.1127996202.squirrel@38.117.147.25>

I'm running Firefox.

There is a big gray box covering the eastern half of the map, don't know
what that is, perhaps the site was coded for IE?

The 'back' button does not work.

I would offer more feedback but with the big gray box on there I can't do
much.

> Hey guys, I could use some feedback on this page. It's a flash/php/oracle
> app
> that dynamically plots points on a map based on long/lat info for each
> contact
> in the db. It may be a little slow loading, but if it's REALLY slow please
> let
> me know.
>
> (A co-worker of mine developed the app, I just helped out on a few small
> items
> and feedback)
>
> http://www.audubon.org/states/flashMap.php
>
> Thanks!!
> Aaron D.
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
>


-- 
Kenneth Downs
Secure Data Software
631-379-0010
ken at secdat.com
PO Box 708
East Setauket, NY 11733



From nyphp at enobrev.com  Thu Sep 29 08:26:31 2005
From: nyphp at enobrev.com (Mark Armendariz)
Date: Thu, 29 Sep 2005 05:26:31 -0700
Subject: [nycphp-talk] Audubon Flash/PHP Map
In-Reply-To: <433B32E9.2060408@travelersdiary.com>
Message-ID: <20050929122630.B1768A8777@virtu.nyphp.org>

> It mixes functionality in with code
> and buries it all in a hard to update file. 

Such is no longer the case.  These days, my fla files generally have 2 lines
of code in them.  One to import the main Actionscript file and the other to
execute the constructor of the app.  Everything else is in a full directory
structure of easily editable text files with an 'as' extension.  Actually
the perfect balance of separating the coder from the designer in my
experience.

Flash is so much more developer-friendly these days.  I still hate the ide
and think it should be beaten to bits (haven't played with 8 yet, so don't
hate me if it's improved - thankfully that's for the designers to deal
with), but development is so much more rewarding than it once was.

Mark



From agfische at email.smith.edu  Thu Sep 29 08:27:57 2005
From: agfische at email.smith.edu (Aaron Fischer)
Date: Thu, 29 Sep 2005 08:27:57 -0400
Subject: [nycphp-talk] Audubon Flash/PHP Map
In-Reply-To: <20050928125757.c36byl6sdlkkcs44@208.179.130.20>
References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20>
Message-ID: <433BDDCD.5020403@email.smith.edu>

-Aaron D.

Seems to work just fine with Safari on Mac OS X.

-Aaron F.

aaron at aarond.com wrote:

>Hey guys, I could use some feedback on this page. It's a flash/php/oracle app
>that dynamically plots points on a map based on long/lat info for each contact
>in the db. It may be a little slow loading, but if it's REALLY slow please let
>me know.
>
>(A co-worker of mine developed the app, I just helped out on a few small items
>and feedback)
>
>http://www.audubon.org/states/flashMap.php
>
>Thanks!!
>Aaron D.
>  
>



From chsnyder at gmail.com  Thu Sep 29 09:26:55 2005
From: chsnyder at gmail.com (csnyder)
Date: Thu, 29 Sep 2005 09:26:55 -0400
Subject: [nycphp-talk] Audubon Flash/PHP Map
In-Reply-To: <20050929122630.B1768A8777@virtu.nyphp.org>
References: <433B32E9.2060408@travelersdiary.com>
	<20050929122630.B1768A8777@virtu.nyphp.org>
Message-ID: <b762526905092906261e18aa06@mail.gmail.com>

On 9/29/05, Mark Armendariz <nyphp at enobrev.com> wrote:

> Flash is so much more developer-friendly these days.  I still hate the ide
> and think it should be beaten to bits (haven't played with 8 yet, so don't
> hate me if it's improved - thankfully that's for the designers to deal
> with), but development is so much more rewarding than it once was.
>

A non-geek friend of mine from SF knows a bunch of people who code for
Macromedia, and says they are always talking about "this PHP thing".
They have been actively promoting Flash+PHP for a couple years now. I
wish the Flash IDE was higher quality, but then that's really the
designer's domain.

Flash+actionscript+php (FLAP?) is a pretty killer platform for rich
web applications, and not subject (to the best of my knowledge) to the
same class of cross-site-scripting attacks that AJAX apps are. The
biggest problem for me is the lack of an open-source player. If
Macromedia/Adobe decides to start selling ads on top of your
application, or includes spyware in the player, what are you going to
do about it?


From ereyes at totalcreations.com  Thu Sep 29 10:12:11 2005
From: ereyes at totalcreations.com (Edgar Reyes)
Date: Thu, 29 Sep 2005 10:12:11 -0400
Subject: [nycphp-talk] Audubon Flash/PHP Map
In-Reply-To: <53898.38.117.147.25.1127996202.squirrel@38.117.147.25>
Message-ID: <00c701c5c4ff$c8c3b1e0$6500a8c0@ERENTR>

It works fine for me and I tried it in Firefox 1.7 Netscape 7.2 and IE.

ER

-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Kenneth Downs
Sent: Thursday, September 29, 2005 7:17 AM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Audubon Flash/PHP Map

I'm running Firefox.

There is a big gray box covering the eastern half of the map, don't know
what that is, perhaps the site was coded for IE?

The 'back' button does not work.

I would offer more feedback but with the big gray box on there I can't do
much.

> Hey guys, I could use some feedback on this page. It's a flash/php/oracle
> app
> that dynamically plots points on a map based on long/lat info for each
> contact
> in the db. It may be a little slow loading, but if it's REALLY slow please
> let
> me know.
>
> (A co-worker of mine developed the app, I just helped out on a few small
> items
> and feedback)
>
> http://www.audubon.org/states/flashMap.php
>
> Thanks!!
> Aaron D.
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
>


-- 
Kenneth Downs
Secure Data Software
631-379-0010
ken at secdat.com
PO Box 708
East Setauket, NY 11733

_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org



From jellicle at gmail.com  Thu Sep 29 10:42:52 2005
From: jellicle at gmail.com (Michael Sims)
Date: Thu, 29 Sep 2005 10:42:52 -0400
Subject: [nycphp-talk] Audubon Flash/PHP Map
In-Reply-To: <20050928125757.c36byl6sdlkkcs44@208.179.130.20>
References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20>
Message-ID: <200509291042.52795.jellicle@gmail.com>

On Wednesday 28 September 2005 12:57, aaron at aarond.com wrote:

> Hey guys, I could use some feedback on this page. It's a
> flash/php/oracle app that dynamically plots points on a map based on
> long/lat info for each contact in the db. It may be a little slow
> loading, but if it's REALLY slow please let me know.

The page has this code:

<span class="pagename">State Chapter Information</span><br>
<span class="subtitle">Interactive Flash Map</font> <br>
<img src="clear.gif" width="1" height="9"><br>

I would bet quite a lot that the </font> tag should be a </span> instead.  
That's (probably) what's causing the right half of the Flash app to be 
greyed out for a lot of people, including me.


Michael Sims


From max at neuropunks.org  Thu Sep 29 11:27:55 2005
From: max at neuropunks.org (Max Gribov)
Date: Thu, 29 Sep 2005 11:27:55 -0400
Subject: [nycphp-talk] OT - embedded WMV objects - no full screen on FireFox
Message-ID: <433C07FB.60006@neuropunks.org>

Hello,
This is slightly offtopic, a little problem im having with this site
im writing.
I have following code:

<object id="player"
classid="clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6" width="420"
height="366" >
        <param name="AutoStart" value="true">
        <param name="URL" value="<?=$movurl;?>">
        <param name="uiMode" value="full">

        <embed name="player" width="420" height="366"
        type="video/x-ms-asf-plugin"
        pluginspage="http://www.microsoft.com/windows/windowsmedia/"
        filename="<?=$movurl;?>" src="<?=$movurl;?>"
        allowchangedisplaysize="1" autosize="1" displaysize="1"
        showcontrols="1" showstatusbar="1" autorewind="1" autostart="1">
        </embed>
</object>
<br>
<a href="#" onClick="player.fullScreen = true"><img
src="images/fullscreen.jpg"></a>


As you can see, when I click on the fullscreen.jpg button the wmv file
is supposed to become fullscreen - and it does, but only in IE
I was looking through google, as well as comparing this code to other
code I wrote/could find, and everything seems like it should work.

Can anyone see what Im doing wrong? Or is it not the code, and im
missing something entirely else?..

note: inside the <object> tag I used to have

type="application/x-oleobject"

directive, and adding/removing it did not change anything


Thank you!

Max



From aaron at aarond.com  Thu Sep 29 11:59:41 2005
From: aaron at aarond.com (aaron)
Date: Thu, 29 Sep 2005 11:59:41 -0400
Subject: [nycphp-talk] Audubon Flash/PHP Map
In-Reply-To: <200509291042.52795.jellicle@gmail.com>
References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20>
	<200509291042.52795.jellicle@gmail.com>
Message-ID: <433C0F6D.8070001@aarond.com>

Thank you all for looking over the flash map.  I sent all of your 
feedback to the developer and will continue to do so if any more come 
in. He fixed the span/font tag mishap, so if you can take another quick 
look I would appreciate it. I only have pc/max here to test on, no *nix 
environment yet.

http://www.audubon.org/states/flashMap.php


Thanks again!!
Aaron D.






Michael Sims wrote:

>On Wednesday 28 September 2005 12:57, aaron at aarond.com wrote:
>
>  
>
>>Hey guys, I could use some feedback on this page. It's a
>>flash/php/oracle app that dynamically plots points on a map based on
>>long/lat info for each contact in the db. It may be a little slow
>>loading, but if it's REALLY slow please let me know.
>>    
>>
>
>The page has this code:
>
><span class="pagename">State Chapter Information</span><br>
><span class="subtitle">Interactive Flash Map</font> <br>
><img src="clear.gif" width="1" height="9"><br>
>
>I would bet quite a lot that the </font> tag should be a </span> instead.  
>That's (probably) what's causing the right half of the Flash app to be 
>greyed out for a lot of people, including me.
>
>
>Michael Sims
>_______________________________________________
>New York PHP Talk Mailing List
>AMP Technology
>Supporting Apache, MySQL and PHP
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.nyphp.org
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050929/6a803769/attachment.html>

From greg.rundlett at gmail.com  Thu Sep 29 20:26:56 2005
From: greg.rundlett at gmail.com (Greg Rundlett)
Date: Thu, 29 Sep 2005 20:26:56 -0400
Subject: [nycphp-talk] Audubon Flash/PHP Map
In-Reply-To: <433C0F6D.8070001@aarond.com>
References: <20050928125757.c36byl6sdlkkcs44@208.179.130.20>
	<200509291042.52795.jellicle@gmail.com> <433C0F6D.8070001@aarond.com>
Message-ID: <5e2aaca405092917262f0a05ec@mail.gmail.com>

Still half gray here.

The w3c validator points out that the Doctype element (which should be
the first line) is actually on line two of the source.


From Consult at CovenantEDesign.com  Thu Sep 29 21:27:39 2005
From: Consult at CovenantEDesign.com (CED)
Date: Thu, 29 Sep 2005 21:27:39 -0400
Subject: [nycphp-talk] OT - embedded WMV objects - no full screen on
	FireFox
References: <433C07FB.60006@neuropunks.org>
Message-ID: <030601c5c55e$25f77820$0319a8c0@ced>

I'm not exactly sure if you need the object tag... for mozilla, or something
of that sort...


Other than that I'd look here:
http://www.mozilla.org/quality/browser/front-end/testcases/oji/objecttest5.html
then here:
http://java.sun.com/j2se/1.5.0/docs/guide/plugin/developer_guide/using_tags.html

I didn't have time to, what can I say, I'm fat and Lazy =D. Aren't all
programmers? Well, minus the fat maybe.


Edward JS Prevost II
Me at EdwardPrevost.info
www.EdwardPrevost.info


----- Original Message ----- 
From: "Max Gribov" <max at neuropunks.org>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Thursday, September 29, 2005 11:27 AM
Subject: [nycphp-talk] OT - embedded WMV objects - no full screen on FireFox


Hello,
This is slightly offtopic, a little problem im having with this site
im writing.
I have following code:
http://www.mozilla.org/quality/browser/front-end/testcases/oji/objecttest5.html

<object id="player"
classid="clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6" width="420"
height="366" >
        <param name="AutoStart" value="true">
        <param name="URL" value="<?=$movurl;?>">
        <param name="uiMode" value="full">

        <embed name="player" width="420" height="366"
        type="video/x-ms-asf-plugin"
        pluginspage="http://www.microsoft.com/windows/windowsmedia/"
        filename="<?=$movurl;?>" src="<?=$movurl;?>"
        allowchangedisplaysize="1" autosize="1" displaysize="1"
        showcontrols="1" showstatusbar="1" autorewind="1" autostart="1">
        </embed>
</object>
<br>
<a href="#" onClick="player.fullScreen = true"><img
src="images/fullscreen.jpg"></a>


As you can see, when I click on the fullscreen.jpg button the wmv file
is supposed to become fullscreen - and it does, but only in IE
I was looking through google, as well as comparing this code to other
code I wrote/could find, and everything seems like it should work.

Can anyone see what Im doing wrong? Or is it not the code, and im
missing something entirely else?..

note: inside the <object> tag I used to have

type="application/x-oleobject"

directive, and adding/removing it did not change anything


Thank you!

Max

_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org



From kigathi at gmail.com  Fri Sep 30 08:32:19 2005
From: kigathi at gmail.com (Eric K.)
Date: Fri, 30 Sep 2005 08:32:19 -0400
Subject: [nycphp-talk] SQL - Sorting on multiple columns
Message-ID: <f6b3106e0509300532o71ff409bl8e17a3db05aaaa5e@mail.gmail.com>

Quick SQL-related question that seems deceptively simple but that I
can't seem to solve:

I have a database with authors and books they've written-looks very similar to:
http://www.onlamp.com/pub/a/php/2004/01/29/php_foundations.html

I have a simple query that returns a resultset of the names of the top
25 authors and the books they've published thus:

SELECT authors.name, COUNT(books.title) AS books
FROM authors,books
WHERE books.author_id = authors.author_id
GROUP BY name
ORDER BY books
LIMIT 0,25

Pretty straightforward right? Actually no, because I'd like to have
the result set returned in order of author name but because of the top
25 stipulation (ORDER by books LIMIT 0,25) I can't.

Is there any way to get the top 25 resultset sorted by author name
with a straightforward SQL query (unfortunately MySQL 4.0 doesn't like
subselects). Unfortunately I can't sort the resultset in PHP.


From prusak at gmail.com  Fri Sep 30 10:52:10 2005
From: prusak at gmail.com (Ophir Prusak)
Date: Fri, 30 Sep 2005 10:52:10 -0400
Subject: [nycphp-talk] SQL - Sorting on multiple columns
In-Reply-To: <f6b3106e0509300532o71ff409bl8e17a3db05aaaa5e@mail.gmail.com>
References: <f6b3106e0509300532o71ff409bl8e17a3db05aaaa5e@mail.gmail.com>
Message-ID: <f1dc81bb0509300752y17505dc8h140063484d5d80d5@mail.gmail.com>

If you want the top 25 authors (in terms of books) sorted by author
name, you'll need a subselect. Try mysql 4.1 :)

or insert into a temp table (memory based) and query from there.

Also - why can't u sort it in php ?


On 9/30/05, Eric K. <kigathi at gmail.com> wrote:
> Quick SQL-related question that seems deceptively simple but that I
> can't seem to solve:
>
> I have a database with authors and books they've written-looks very similar to:
> http://www.onlamp.com/pub/a/php/2004/01/29/php_foundations.html
>
> I have a simple query that returns a resultset of the names of the top
> 25 authors and the books they've published thus:
>
> SELECT authors.name, COUNT(books.title) AS books
> FROM authors,books
> WHERE books.author_id = authors.author_id
> GROUP BY name
> ORDER BY books
> LIMIT 0,25
>
> Pretty straightforward right? Actually no, because I'd like to have
> the result set returned in order of author name but because of the top
> 25 stipulation (ORDER by books LIMIT 0,25) I can't.
>
> Is there any way to get the top 25 resultset sorted by author name
> with a straightforward SQL query (unfortunately MySQL 4.0 doesn't like
> subselects). Unfortunately I can't sort the resultset in PHP.
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
>


From agfische at email.smith.edu  Fri Sep 30 12:36:49 2005
From: agfische at email.smith.edu (Aaron Fischer)
Date: Fri, 30 Sep 2005 12:36:49 -0400
Subject: [nycphp-talk] What are ? and :
Message-ID: <433D69A1.2070903@email.smith.edu>

I am in the process of reading through the PHundamentals article titled 
"Functions for Storing Data Submitted From a Form and Displaying Data 
from a Database" and have run into two symbols that I am unclear about 
in the fix_magic_quotes function.
http://www.nyphp.org/phundamentals/storingretrieving.php

The symbols in question are ? and :

The lines where they are used:

1)  $argv = isset($_SERVER['argv']) ? $_SERVER['argv'] : NULL;

2)  return $sybase ? str_replace ('\'\'', '\'', $var) : stripslashes ($var);

Would appreciate an explanation of the usage of the symbols and their 
use in the context of these two lines.

Thanks,

-Aaron



From rahmin at insite-out.com  Fri Sep 30 12:47:22 2005
From: rahmin at insite-out.com (Rahmin Pavlovic)
Date: Fri, 30 Sep 2005 12:47:22 -0400
Subject: [nycphp-talk] What are ? and :
Message-ID: <200509301647.j8UGlMOx002505@webmail5.megamailservers.com>

An embedded and charset-unspecified text was scrubbed...
Name: not available
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050930/cc308388/attachment.ksh>

From jellicle at gmail.com  Fri Sep 30 12:58:27 2005
From: jellicle at gmail.com (Michael Sims)
Date: Fri, 30 Sep 2005 12:58:27 -0400
Subject: [nycphp-talk] What are ? and :
In-Reply-To: <433D69A1.2070903@email.smith.edu>
References: <433D69A1.2070903@email.smith.edu>
Message-ID: <200509301258.28038.jellicle@gmail.com>

On Friday 30 September 2005 12:36, Aaron Fischer wrote:

> The symbols in question are ? and :

?: is the "ternary operator".  Google for that and you should get plenty of 
information.

http://ca.php.net/manual/en/language.operators.comparison.php#language.operators.comparison.ternary

A ? B : C

can be roughly translated as "test A, and pick B or C depending on how A's 
test came out".

> 1)  $argv = isset($_SERVER['argv']) ? $_SERVER['argv'] : NULL;

So this is saying if the _SERVER variable argv is set, then set the local 
variable argv with that value; otherwise set it to NULL.  The more direct 
approach:

$argv = $_SERVER['argv'];

will throw an error if $_SERVER['argv'] doesn't exist.  (Actually, it will 
throw a notice, not an error, and the script will continue to execute, and 
the functional effect will be very similar, but using the ternary operator 
is certainly more elegant.)


Michael Sims


From enunez at tiaa-cref.org  Fri Sep 30 13:04:38 2005
From: enunez at tiaa-cref.org (Nunez, Eddy)
Date: Fri, 30 Sep 2005 13:04:38 -0400
Subject: [nycphp-talk] What are ? and :
Message-ID: <33DFD788D44E404CB92B90176DEC061A6DAFD0@NYCPDMSXMB06.ad.tiaa-cref.org>


Yeah no kidding .. I love this stuff!!
I've used them in sequence to test and update a conditional variable...
some actual code I wrie to set a string based on various database variables..

        $approval_status = ( $adt=$res[APPROVED] ) ? "Approved on $adt" : 'Unapproved' ;
        $approval_status = ( in_array($suffix,array('AN','SP')) ) ? 'N/A' : $approval_status ;
        $approval_status = ( $cdt=$res[COMPLETED] ) ? "Closed on $cdt" : $approval_status ;
        $approval_status = ( $cdt=$res[CANCELED] ) ? "Canceled on $cdt" : $approval_status ;

I realized in the above the sequence of the instructions is critical for the correct
result because the following statements will use the previous results on false condition.

FYI: texts refer to it as Trinary operator because it takes 3 operands, instead of
the more common 2 ops.

Cool stuff!

-----Original Message-----
From: talk-bounces at lists.nyphp.org
[mailto:talk-bounces at lists.nyphp.org]On Behalf Of Rahmin Pavlovic
Sent: Friday, September 30, 2005 12:47 PM
To: NYPHP Talk; Aaron Fischer
Subject: Re: [nycphp-talk] What are ? and :



On Fri, 30 Sep 2005 12:36 , Aaron Fischer <agfische at email.smith.edu> sent:

>I am in the process of reading through the PHundamentals article titled 
>"Functions for Storing Data Submitted From a Form and Displaying Data 
>from a Database" and have run into two symbols that I am unclear about 
>in the fix_magic_quotes function.
>http://www.nyphp.org/phundamentals/storingretrieving.php
>
>The symbols in question are ? and :
>
>The lines where they are used:
>
>1)  $argv = isset($_SERVER['argv']) ? $_SERVER['argv'] : NULL;
>

It's a conditional operator, and it's basically a simple if/else assignment.  In
this case, it's checking to see if there are any arguments -- if so, they get
assigned to $argv, if not, $argv is NULL.

A lot of people don't like conditional operators, but I use them a lot.



_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org


**************************************************************
This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is protected by law.  If you are not the intended recipient, please contact sender immediately by reply e-mail and destroy all copies.  You are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
TIAA-CREF
**************************************************************



From agfische at email.smith.edu  Fri Sep 30 13:30:06 2005
From: agfische at email.smith.edu (Aaron Fischer)
Date: Fri, 30 Sep 2005 13:30:06 -0400
Subject: [nycphp-talk] What are ? and :
In-Reply-To: <200509301258.28038.jellicle@gmail.com>
References: <433D69A1.2070903@email.smith.edu>
	<200509301258.28038.jellicle@gmail.com>
Message-ID: <433D761E.6060005@email.smith.edu>

Awesome, thanks for the description!  That's very helpful, as is the 
link as well. 

I'd like to say that this list rocks, as usual.

Cheers,

-Aaron
 

Michael Sims wrote:

>On Friday 30 September 2005 12:36, Aaron Fischer wrote:
>
>  
>
>>The symbols in question are ? and :
>>    
>>
>
>?: is the "ternary operator".  Google for that and you should get plenty of 
>information.
>
>http://ca.php.net/manual/en/language.operators.comparison.php#language.operators.comparison.ternary
>
>A ? B : C
>
>can be roughly translated as "test A, and pick B or C depending on how A's 
>test came out".
>
>  
>
>>1)  $argv = isset($_SERVER['argv']) ? $_SERVER['argv'] : NULL;
>>    
>>
>
>So this is saying if the _SERVER variable argv is set, then set the local 
>variable argv with that value; otherwise set it to NULL.  The more direct 
>approach:
>
>$argv = $_SERVER['argv'];
>
>will throw an error if $_SERVER['argv'] doesn't exist.  (Actually, it will 
>throw a notice, not an error, and the script will continue to execute, and 
>the functional effect will be very similar, but using the ternary operator 
>is certainly more elegant.)
>  
>



From cliff at pinestream.com  Fri Sep 30 13:31:36 2005
From: cliff at pinestream.com (Cliff Hirsch)
Date: Fri, 30 Sep 2005 13:31:36 -0400
Subject: [nycphp-talk] Paginating tables properly when rows are collapsed by
	a column
Message-ID: <000301c5c5e4$cf636460$0ba8a8c0@cliff>

I am trying to properly paginate a table spread over several pages. The
problem is, I want the # of rows displayed to be based on a collapsed
summary column. Using Javascript, the default display would be to
collapse everything based on one field (in this case category). As an
example, I may want to show 10 collapsed category rows per page that can
expand into a larger # of rows based on the # of rows in each category,
when a Javascript "shows rows in category" button is clicked. This makes
the start # a bit tricky and the individual rowsperpage # variable while
though the "category rowsperpage # is fixed.
 
I think this would give me the proper results if it worked:
 
SELECT fields FROM table WHERE table.userid = $userid
AND table.catid IN (SELECT DISTINCT catid FROM table
WHERE table.userid = $userid AND LIMIT $startrow, $rowsperpage)
 
>>But LIMIT is not allowed in a sub-query, so I tried this:
  
SELECT GROUP_CONCAT(DISTINCT catid) FROM table
WHERE table.userid = $userid AND LIMIT $startrow, $rowsperpage
 
SELECT fields FROM table
WHERE table.userid = $userid AND table.catid IN ($result from above
query)
 
>> But LIMIT does not work for GROUP_CONCAT, so I'm down to this:
 
SELECT DISTINCT catid FROM table
WHERE table.userid = $userID AND LIMIT $startrow, $rowsperpage)
 
PHP code to turn array result into a string, then:
 
SELECT fields FROM table
WHERE table.userid = $userid AND table.cid IN ($result from above query)
 
Is there a simpler way? Perhaps this is a case for AJAX -- only get row
info when an "expand" button is clicked. Thoughts?
 
Cliff Hirsch
_______________________________
Pinestream Communications, Inc.
Publisher of Semiconductor Times & Telecom Trends
http://www.pinestream.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050930/520da6af/attachment.html>

From lists at zaunere.com  Fri Sep 30 13:59:29 2005
From: lists at zaunere.com (Hans Zaunere)
Date: Fri, 30 Sep 2005 13:59:29 -0400
Subject: [nycphp-talk] FW: [nycbug-talk] gpl on /.
Message-ID: <0MKp2t-1ELPAV3kEl-0002Wy@mrelay.perfora.net>


Marc Spitzer wrote on Friday, September 30, 2005 11:41 AM:
> Saw below on slashdot, this is something we need to be up to speed on.
>  All you web developers out there need to add in time for licence
> review on your projects, if you use any 3rd party lib, ouch.
> 
>  Vicissidude writes "At present, companies that distribute
> GPL-licensed software must make the source code publicly available,
> including any modifications they've made. Though the rule covers many
> businesses that use GPL-licensed software for commercial ends, it
> doesn't cover Web companies that use such software to offer their
> services through the Web, as they're not actually distributing the
> software. GPL 3, the next version of the free software license, a
> draft of which is expected to be released in early 2006, may close
> this loophole, GPL author and Free Software Foundation head Richard
> Stallman said in an interview."
> 
> interview link http://news.zdnet.com/2100-3513_22-5884172.html

Interesting developments in the exciting world of GPL licensing...

H



From suzerain at suzerain.com  Fri Sep 30 17:23:32 2005
From: suzerain at suzerain.com (Marc Antony Vose)
Date: Fri, 30 Sep 2005 17:23:32 -0400
Subject: [nycphp-talk] strategy question: point accrual system and bots
In-Reply-To: <433C07FB.60006@neuropunks.org>
References: <433C07FB.60006@neuropunks.org>
Message-ID: <p06230904bf6359faad46@[192.168.1.44]>

Hi there.

I'm asking a sort of general question here about how to design an 
application I'm making.  Basically, actions on a Web site will result 
in members accruing points (the actions vary, but almost always cause 
a form to be submitted, some action to be performed on the back end, 
and then points to be allocated to the user).

I'm interested in people's strategies for preventing scripts or bots 
from continually submitting actions and accruing points for someone. 
In some cases, there are special things I can look for that will be 
the components of these actions, but I'm looking also for some kind 
of general strategy (special hash keys based on some random factor, 
etc. and so on).

I have a few ideas, but other people probably have better ones...the 
simpler and more straightforward the better.

Cheers,

-- 
Marc Antony Vose
http://www.suzerain.com/

The only "intuitive" interface is the nipple. After that, it's all learned.
-- Bruce Ediger


From mail at billyreisinger.com  Fri Sep 30 18:03:01 2005
From: mail at billyreisinger.com (Billy Reisinger)
Date: Fri, 30 Sep 2005 18:03:01 -0400
Subject: [nycphp-talk] strategy question: point accrual system and bots
In-Reply-To: <p06230904bf6359faad46@[192.168.1.44]>
References: <433C07FB.60006@neuropunks.org>
	<p06230904bf6359faad46@[192.168.1.44]>
Message-ID: <2009AE73-7D9D-4A21-838E-750CCE947E6D@billyreisinger.com>

Hey Marc -
I think that the simplicity of the solution is directly proportional  
to the importance of
preventing people from "submit fraud." If it is really important  
(i.e. there is money involved),
the complexity of your solution will necessarily have to be greater;  
however, if you are
not going to lose money or a limb if someone "illegally" accrues  
points, then perhaps
a simple combination of tracking session ID's and IP addresses would  
work.   I wouldn't rely
on any one method alone, though.  It seems that tracking user or bot  
activity on the web is best accomplished through
a combination of strategies.   For example, you definitely can't rely  
on the accuracy of IP addresses, or that
one user == one IP address.  On the other hand, using an IP address  
in combination with, say, the user's session id, some cookie
data, or some information in the http header (like browser or  
operating system) might be an effective way of tracking a single user.

If you are dealing with a system where people have to provide a  
username/password to submit anything, your chances of identifying  
your users just got a ton better!

Also, you can be sure something funky is going on if someone  
continually submits a form many times in a small
amount of time.  It might be good to put a threshold there,  
preventing people from re-submitting for, say, 60 seconds or something.

Cheers,
Billy

On Sep 30, 2005, at 5:23 PM, Marc Antony Vose wrote:

> Hi there.
>
> I'm asking a sort of general question here about how to design an
> application I'm making.  Basically, actions on a Web site will result
> in members accruing points (the actions vary, but almost always cause
> a form to be submitted, some action to be performed on the back end,
> and then points to be allocated to the user).
>
> I'm interested in people's strategies for preventing scripts or bots
> from continually submitting actions and accruing points for someone.
> In some cases, there are special things I can look for that will be
> the components of these actions, but I'm looking also for some kind
> of general strategy (special hash keys based on some random factor,
> etc. and so on).
>
> I have a few ideas, but other people probably have better ones...the
> simpler and more straightforward the better.
>
> Cheers,
>
> -- 
> Marc Antony Vose
> http://www.suzerain.com/
>



From stephen at musgrave.org  Fri Sep 30 18:49:00 2005
From: stephen at musgrave.org (Stephen Musgrave)
Date: Fri, 30 Sep 2005 18:49:00 -0400
Subject: [nycphp-talk] Validating/cleaning/scrubbing
Message-ID: <3a2a0d6a56ce33fcaed8fb6b6b98b96a@musgrave.org>


Given Tuesday's presentation by Chris Shiflett (thanks, Chris!), I have 
been thinking more about security and am wondering if there are any 
classes out there that people are using that the trust and can 
recommend?  Any comments about PHP Input Filter?

PHP Input Filter (linked the PHP Security Consortium web site)
http://cyberai.com/inputfilter/

Thanks,

Stephen

  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 388 bytes
Desc: not available
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050930/4f893611/attachment.bin>