| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
Comments:
<0> GeoJohn: http://www.testdrive.hp.com/
<1> 'lo all ;)
<2> Greetings...
<2> ... question
<2> for me $HTTP_USER_AGENT doesn't work in a function. Why?
<3> what verison of PHP?
<0> FenixRF: You have globals turned on! Ouch
<2> 4.4.1
<3> turn off globals and use $_SERVER
<2> I don't run the server
<3> ouch even more
<0> FenixRF: Try putting "global $HTTP_USER_AGENT" at the top of the function if you must use globals.
<2> I don't use globals... at least not intentionally...
<2> so what's the $_SERVER verion of HTTP_USER_AGENT?
<2> $_SERVER_HTTP_USER_AGENT?
<4> $_SERVER['HTTP_USER_AGENT']
<2> k
<5> anybody ever had problems with getimagesize() giving a read error ?
<3> http://us2.php.net/reserved.variables
<4> good dog.
<6> globals can be turned off on .htaccess level iirc
<7> you shouldn't need to turn globals on or off. if your code is properly written, it doesn't matter what that's set to.
<4> Thats right FenixRF, run away..
<4> ..run away..
<6> caffinated: true. but why learn the hard way ? :)
<7> Meltir: learning the hard way is not reading the manual in the first place.
<7> in which case turning them on or off isn't going to help you in the first place.
<3> You shouldnt need to wear a seatbelt if you drive safely, but its the other MoFo who you diodnt think about that screws you up
<7> indolent: that makes little sense in this context.
<3> you can write the best secured app
<3> and someone will be able to hack it
<3> why not just start the playing field a bit better with Globals OFF
<7> indolent: because you don't need to.
<6> <?php print "Hello World"; ?> <-- hack that :>
<8> s/print/echo
<7> indolent: register_globals isn't actually insecure. inproper usage of it is.
<3> right....
<7> right.
<3> its also depricitated though.. is reg globals goign to be supported in 6?
<7> indolent: erm, what do you consider "reg globals" ?
<3> the whole idea of registeR_globals being on.. like $name == $_POST['name']
<6> caffinated: my point is: why worry about checking for sett variables and trying to figure out where they were set, when you can simply turn off globals and sleep that much lighter ? :>
<7> Meltir: because if you follow a proper standard of coding you won't need to worry about it.
<3> your right though for simple things RG IN is no big deal
<3> but also when you get into OOP, public, private etc.. RG don't really matter. cause they should be dfined in the cl*** anyway
<6> caffinated: standards require taking a certain actions. and its easier to make up your own. i know exactly what you mean - standards are a good thing. but its easier this way. an coders like to take the easy way out. i know i do.
<9> I fail to see the link between OOP visibility and register_globals...
<3> but ill always err on the side of paranoia
<6> colder-: how do you set $foo->bar->xyverz via the url ? :>
<9> well, that's a simple object property, that doesn't concern visibility at all.
<10> hello
<7> Meltir: um, by 'standrads' i mean simple things, like defining variables before use.
<11> indolent: sorry, I was talking with the bosses. I'm using Win32
<3> besides.. my main lib cl*** i set all $_REQUESTS to $lib->requests[]
<3> and i filter them anyway
<12> Melter: more often then not, knowing what way is the easiest seperates a mediocre programmer from a good one.
<3> and i never use or reference $_POST$__GET
<10> if (!preg_match('/^(gif|jpe?g)$/',$file)) { <- im trying to use that to determine if a file is a jpg or gif
<10> its not working
<3> sorry i **** at regex
<10> any ideas?
<9> sym0_, that's expected, you don't check only the end, but the whole string
<11> sym0: you're using the ^
<12> I.e. ... it seems hard to unit-test, but it makes development a lot easier.
<11> try without it
<6> caffinated: picture this scenario: you have a script - it can work as a standalone and as a include. it just check if some var is set, and based on that you take certain actions (connect to the db and so on). with globals on - someone just types that var in a post or get, and he's there. how do you escape that trap with globals enabled ?
<10> I dont want people to be able to do something like .jpgfile.php
<10> you know?
<10> and manipulate it to execute code on my server
<9> notice that you should check the mime type instead, as a jpg file is not forced to be named .jpg
<11> that's what the $ is for
<11> and yeah, listen to colder
<13> hi
<10> colder- i dont understand, its for file uploads
<10> they upload a file, if its the proper format it saves it
<10> if not, it kicks back an error
<11> well, format is determined by extension
<3> i think its ifn $_FILES['type'] or something
<14> how do i get rid of dbx?
<7> Meltir: if you're checking to see if a variable is set without checking the variable's content, it's your own fault if it fails.
<14> i'm using debian
<11> rename a text file to mad_hax.jpg, and it's still jsut text
<3> just do if in_array(
<13> is i possible the return tablename.colname in the attibutenames when using mysql_fetch_object? and how?
<9> mammuth, you can simply alias it
<9> but if colname is unique, you can access it using colname
<13> yes, right,
<6> caffinated: whats the diff ? so i check the content. someone just types foo.php?var=value and he is already there.
<7> Meltir: in the end, a language should not have to impose any kind of safty mechanism to protect you. you should be protecting yourself.
<13> colder- sure it is a matter of of naming cosl
<13> colder- are thay ANY directive or param to get no just the colname,
<13> ?
<3> Meltir - good example
<6> caffinated: yes, but if there is an easy way to take it off my mind - then why not take it ?
<7> indolent: it isn't, really.
<3> sarcasm
<3> what if $var is already set in your script
<3> you just overwrote it
<4> i know this is a PHP channel, but has anyone had any experience fetching HTML from pages using VB?
<7> Meltir: because the easy way is not always the right way.
<9> mammuth, to access it using $result['table.colname'] ? no
<15> I actually have this working but I'm annoyed cause I don't know how it is working. Does strtotime() understand date() variables?
<4> RTFM?
<6> caffinated: apart from parsing something like debug_bactrace() to see where we came from - what way would you see to check how said var was sett ?
<13> colder, yes, like $object->"tablename.col"
<7> Meltir: if it's properly validated, it doesn't matter where it came from. user input is user input.
<13> colder- the same
<9> why do you use an object, anyway ?
<13> colder: mysql_fetch_object
<3> try fetch_***oc
<13> colder: hmm. fetch_***oc...
<9> mammuth, sure, but why do you need to fetch the data in objects ?
<13> ok
<6> caffinated: its one of the reasons that i believe that register_globals can save my life. really. if you know a way to check where some variable was set - please tell me. no sarcasm.
<16> hi
<7> Meltir: you don't need to check that if you code properly.
<3> if(isset($_POST['var'])
<7> Meltir: every time i use a variable, the first thing I do is initialize it.
<3> or$_GET
<13> colder: simply the sam result, no tablename
<4> Meltir: you are arguing to enable register globals?
<6> punkstar: disable.
<4> so $_GET['value'] != $value?
<3> right
<7> Meltir: if you don't do that, you're already coding in a stupid way.
<3> $_GET['value'], $_POST['value'] and $value all are different values
<17> Meltir: register_globals is evil simply because you can't control where a var somes from. a user could add any arbitraty cookie to their system and it will get injected dirctly into your memory space
<4> yes but, but i think its register_globals that allows $value to take on the value of $_GET['value']?Correct?
<3> oooo. good one
<16> you guys know PovAddict?
<6> k. how do i tell if $foo isnt set in $_POST/$_GET['foo'] ?
<7> ||cw: and it wouldn't make any difference at all to anything I write.
<4> is it thrid party software
<4> $_REQUEST
<6> ||cw: my point exactly.
<3> Meltir: but you shouldnt do anything with foo unless you are expecting it form post or get
<3> thats where if isset$_POST
<6> indolent: scroll up to see my example.
<7> none of you really get it, it's frightening actually.
<3> and to get really crazy, you can checkk referrer to make sure its the expected from page
<18> I still can't settle on whether to use camelCase or _
<6> caffinated: picture this scenario: you have a script - it can work as a standalone and as a include. it just check if some var is set, and based on that you take certain actions (connect to the db and so on). with globals on - someone just types that var in a post or get/cookie whatever, and he's there. how do you escape that trap with globals enabled ?
<3> dont use $_REQUEST
<6> sorry - that was supposed to be just a repeat.
<3> cause &var=foo is the same as $_POST['foo'] then
<7> Meltir: yeah, and it's still stupid.
<6> caffinated: its a reallife situation.
<7> Meltir: no, it's 100% stupid.
Return to
#php
or
Go to some related
logs:
Dell E510 Out Of Range Error
#gimp
#fedora
noacpi +OHCI +host +controller +kubuntu
ocfs2_nodemanager
libacl-devel suse 10.0
#bash
m2300w .deb
#perl
#gaim
|
|