| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
Comments:
<0> but they dont have internet access
<1> what about stuff like onclick in a <p> tag?
<2> hacked`, What operating system is it using?
<2> The server
<0> daskies, win2000
<2> Problem
<0> no
<2> M$ doesn't do mial()
<1> The most I'd do is just htmlspecialchars though...
<2> *mail()
<0> daskies
<0> so how can i do it
<1> SMTP server
<0> i dont want to set up an smtp server
<2> Or anything not using M$
<1> Then you don't do it at all.
<1> Actually, I lie.
<0> i want to use my isp's smtp
<1> I think you can enter an eternal smtp.
<1> But I wouldn't recommend it. Check your php.ini configuration, happy days :)
<0> zule, point is, will the workstations need internet access
<3> RogueJedi: It would be best to have a white list of tags you let users enter, and a white list of tag attributes and then strip out everything else. You may not want them to enter things like <html> or <body> tags, or style attributes on stuff
<0> or will server send out email
<1> Well, yea. Some kind, even if indirect.
<4> mail() works on windows, php.net/mail
<0> exactly
<0> i dont know why people were misleading me
<1> Only if you have an SMTP server entered in your php.ini config though...
<5> What's an unexpected T_VARIABLE error mean?
<6> hacked` Then do you own research and learn
<7> NativePHP: you still don't have to do that processing upon input.
<1> That the variable wasn't expected.
<2> [itrebal_sleep], Not really
<4> php.net/mail seems to think so
<8> deadroot: He's pointing out that if you are using some sort of DB viewer that doesn't strip it you could have problems
<4> even some windows only params
<1> Filtering HTML by hand is a nightmare. There are countless things you have to think about.
<7> then it is the DB viewer's fault
<7> you should file a bug report if the viewer broke
<5> lol, thanks Zule, guess I forgot to define it
<8> deadroot: I agree, if you get cracked by some exploit through a bad db viewer its your own fault
<9> But if you don't filter your data on input, especially data that gets exectued - then you are leaving yourself open to someone running all kinds of nasty things on your computer ...
<10> how can i limit max data sent in a form
<9> And it's better to be safe than sorry when it comes to what gets executed and what doesn't ... ?
<1> Just out of curiousity, what kind of user input are we talking about? User input you want displayed as HTML in the end, or input you don't...
<10> so like someone can't submit 50,000,000 text into a text box and hack the server
<10> hehe
<11> Why does
<11> global $x;
<11> $x = "blah";
<11> function test(){ echo $x; }
<11> test();
<11> not work?
<7> okay, say you filter upon input. that avoids the bad DB viewer problem. what about the millions of other people who don't filter their input and uses the same bad DB viewer?
<1> Because you need the global word in the function, read up about globals.
<1> 'cause my view is just that you're as well using htmlspecialcahrs when you put it in the database, rather than after. It saves processing time when reading it out and echoing it anyway. Call it once when storing saves calling it multiple times for every output
<7> the correct fix in that case is to fix the DB viewer
<4> !tell dolphinling about pastebin
<12> moosey: look into using strlen or count > www.php.net/strlen , www.php.net/count
<7> Zule: if processing speed is important, then yes, preprocessing would save on postprocessing stuff
<11> [itrebal_sleep]: is 4 short lines too long to paste in here? sorry.
<1> Well if you don't have any valid need to keep it raw, htmlspecialchars on it is viable. It really depends on the end need in my opinion
<1> dolphinling: Read this -> http://uk2.php.net/global
<4> alright, sleep for sure now
<9> Zule, agreed ...
<11> Zule: Oh, thanks! That explains it a lot better than the tutorial I was using.
<9> and prevents most CSS attacks at the same time ...
<1> php.net is magical :)
<12> Indeed
<1> But it just seems an odd debate :) If in the end you don't want whatever is in the database being outputted as html, and will be calling htmlspecialchars on it, you're as well doing that when you store it. If you do need the output as html, well, it's probably safe to ***ume you know the html is likely okay or your security is horrible so it's game over either way! :D
<9> ... and what about a user executing remote shellcode ... escaping won't stop that ... I was just looking at a phpbb hack the other day that did that very thing ...
<1> That's what learning about security is for \o/
<8> Zule: Exactly, not to mention how much simpler filtering output rather then input is for editing
<6> bull****
<6> you'll get input usually once, you'll output thousands of times
<1> Well I wouldn't exactly say "exactly" in response to me :P
<8> Jymmmm: So output filtering is slower, thats a given. Doesn't change the fact that you're writing the filter code either way.
<1> As I said, if my output was going to not have raw html, I'd store it with htmlspecialcahrs.
<6> RogueJedi why waste resoruces like that?!
<8> Yet you still have to write something to show the user what they entered, not what your program turned it into
<13> anyone ever use tinyhtml parser?
<13> does it have stuff for nested tags
<13> i just wrote a huge program to do it manually
<6> !+g8
<14> Guideline #8) SQL Q's: #sql, #mysql or #postgresql. Apache Q's: #apache. Linux Q's: Either #yourdistro, #linuxhelp or #linpeople. HTML/CSS/JavaScript Q's: #web. Just because some other channel is 'dead' does NOT mean you can ask here.
<8> Well, I suppose you don't _have_ to
<6> !+g10
<14> Guideline #10) We don't support script(s). We help you *write* PHP, not recommend or download and install/hack/modify/adapt/use pre-written scripts
<1> I wonder if we'll get another release of php 4.4.x :(
<15> hey whats the word for when your subscribed to a service and when the contract is over, it auto renews? (drunken mental lapse in brilliance)
<8> auto-renewal?
<15> that will work
<1> Has support for php4 more or less ceased?
<8> Zule: I wish, maybe more hosts will go for php 5 -_-
<1> I still like php4 personally, I'm not updating...
<8> ..
<15> Zule: what is it about 4 that you prefer over 5?
<1> Cl***es for starters :)
<8> ..
<8> PHP5s cl***es are much better structured and more powerful then PHP4
<1> I know, I just don't like them, that simple :D
<8> Not to mention php5 itself is faster overall
<1> That and php4 has been around and tested a lot longer than php5. Just in the same way Apache 1 is still used over Apache 2.
<15> Zule: really? I like 5 for that. But i agree that if your used to 4 then changing seems like a hill to climb
<6> Some how you ppl think PHP has OOP
<6> it never has, and never will.
<1> Jymmmm: ?! Some how you people think?
<6> Zule (I was being kind)
<15> jymmmmm: www.php.net/oop
<1> You are very kind.
<15> heheh
<3> there's enough OOP to be useful
<6> lith snakeoil
<1> Jymmmm: Are you still using php4?
<15> *bewilderment*
<15> jymmmm uses php 8
<1> lol
<8> Jymmmm: Are you a C++ programmer?
<10> how do i stop warning output of a 404 found using getimagesize() in a remote situation?
<15> Jymmm doesnt even program, hes just here for the chicks
<15> ****, thats why im here :/
<10> coder chicks rawk
<3> moosey; possibly put an @ in there, not sure though
<6> !+@
<14> [@] The PHP error control operator that suppresses errors (@foo()), see: http://php.net/operators.errorcontrol - Don't use it. Think I'm wrong? Ask me about "GO".
<6> NativePHP dont give out poor advice
<10> thanks
<6> You resolve errors, not hide them.
<10> yeah but its not an error it shoots a warning
<3> well it would be better to check if the location is valid or not, and if not do something else
<6> moosey symantics
<10> i cant have my script output these warnings of my system path just cuz someone submits a bogus image
<1> Hypothetical question not to be irritating: Is it okay to hide errors so long as you're checking to see if something was/wasn't successful either, or is that still considered bad practice?
<15> moosey: if your in error_reporting(E_ALL) / strict either fix it or take your error reporting down. but @ gets confusing for debuging
<15> zule: hiding the error doesnt remove it
<1> Of course it doesn't :)
<1> But I'm thinking in cases where it's not in your control as such.
<10> how would simply check status on a url call then? i know scan for /200/
<6> Zule There are RARE exceptions to usign @, In all the years I've been here, I've only seen one.
<10> but im not aware of a function that does that
<3> hm, does file_exists work with a URL? never tried it
<6> NativePHP in the manual
<10> i can't use no fopen_url that i know
<8> moosey: Are you using php5?
<10> no
<10> 4.2.2
<10> err 4.4.2?
<8> NativePHP: Then not for him it doesn't.
<0> guys
<0> i just set the external smtp server in my php.ini, but doesnt work
Return to
#php
or
Go to some related
logs:
openwebmail etch
#perl
awk == echo -n
tuple comprehension
'concat' is not a recognized function name.
Auf der Yacht nach Dr. Hossa mp3
reiserfs md0 warning sh-2006
glibcxx slackware
#physics
aeilquty
|
|