| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Comments:
<0> arent we all
<1> But, yeah, see above.
<0> is the file too large?
<1> No.
<2> agreed, we all have problems
<0> and you've done a print_r on $_FILES?
<2> yeah, go to php.net/features.file-upload and test with that specific example
<3> atwhever --> no
<4> is there any way to add xslt support to a php binary without rebuilding php?
<1> Yes, I've done print_r on $_FILES, it's completely empty.
<3> u just pic PEAR.php on some location on ur web
<1> It works with that specific example.
<2> interferon: you can create a shared extension and include it in php.ini
<5> what's the difference between echo and print_r ?
<1> It's just that whenever I put it into my own website, it just decides to stop working.
<2> Frieden: you mean print? well, search google.
<1> Frieden: print_r pretty-prints arrays.
<5> o
<5> i see
<1> echo doesn't really like arrays.
<4> philip, perfect, can you point me at instructions for building shared extensions?
<3> then do this --> iniset('include_path', ini_get('include_path').PATH_SEPARATOR.$LOCATION_OF_PEAR_DOT_PHP);
<5> what's the difference between print and echo then?
<3> now u can use pear --> atwhever
<1> No idea.
<2> google will tell you Frieden
<5> hmm
<5> *asks Google*
<1> Either way, you'll probably never use print anyway.
<6> Frieden- print returns a value and can be used as an expression
<1> So, why can't I do function() or echo 'Error.';
<5> ah right
<6> echo can only be used as a statement
<6> Zarel- because of what I just said
<1> But why doesn't or work with statements?
<6> Um
<2> interferon: since xslt is a PECL extension, read this: http://php.net/manual/en/install.pecl.php
<6> Zarel- go read up on the difference between a statement and an expression
<1> ...
<1> But, yeah, so print works?
<6> Did you read what I said?
<2> Zarel: go test that file upload example from the manual
<2> Zarel: of maybe if you pastebin some code, someone might spot an obvious error, such as a lack of enctype in your form
<1> philip: As I said earlier, I already did, and it worked.
<7> hi guys
<2> then write your code more like that example :)
<7> somebody knows how to activate with imagick
<1> Um. I knew that.
<4> philip, much appreciated
<7> and how to work and devel with these?
<2> Kalavera: did you read php.net/imagick ?
<2> Zarel: are you teachable?
<7> ok yeah but i am in gentoo
<2> i doubt gentee has a imagick php extension package, but maybe, if not, read: http://php.net/manual/en/install.pecl.php to create a shared pecl extension and include it in php.ini
<2> gentee? heh
<1> philip: What do you mean?
<1> I was joking about the "Um. I knew that."
<1> What I actually meant was, "Eheh. Yeah, there /was/ a lack of enctype. No wonder it didn't work."
<2> oh, nice it was fixed :)
<2> how about "Ah, enctype! Doh! :)" :)
<7> philip, these page said Imagick was not found
<2> Kalavera: ?
<2> http://pecl.php.net/package/imagick and http://php.net/manual/en/install.pecl.php
<2> then php.net/configuration
<8> Is there a way to stop fopen/include from allowing streams/URL's _without_ having to set the .ini file (allow_fopen_streams)
<2> why?
<6> inflex- pretty sure fopen_wrappers is a system-only setting
<8> because I know that a given input I have should only require a local file, so, as another level of protection against potential hacking.
<6> i.e. can only be set in php.ini or httpd.conf
<9> inflex: strip slashes and colons for another level of security instead? *shrugs*
<8> \zxc: already doing stuff like that.
<6> Disabling fopen wrappers really cripples your system
<8> also doing strspn checks
<9> good good
<10> Hi
<7> philip, if imagick is active i need to see these support in phpinfo page really?
<8> I think out of my entire WWW site, there's only 1 time that I need to use the URL open facility of fopen
<10> I have to register?
<8> ( so I can query an online freight calculator )
<2> Jthomas: no
<10> [INFO]This channel requires that you have registered and identified yourself
<9> As long as you're stripping out everything, then there shouldn't be a problem inflex.
<11> Jthomas: for this one?
<10> Yes, in this channel
<8> \zxc: I guess so ---- I'm just paranoid :D
<9> that's a good thing, we need more of you
<9> s/you/us
<2> file_exists() etc. would work although if it's worth the server hit of course depends... :)
<8> \zxc: only like this because I've been slapped a few times by the defacers/kiddies :(
<9> bah, that ****s.
<10> Anyway, I'm currently a php programmer, I do know quite a bit but no professional. But people talk about VALID programming. Is there actually a resource explaining what is Valid and what isnt?
<8> \zxc: I come from a C programming background, so I wasn't aware of some of the PHP exploits/features for the same named functions
<12> Jthomas Design Patterns
<8> \zxc: the fopen/include was a painful lesson
<6> If p***ing a URL to one of you file functions is a security problem, your code is written incorrectly in the first place
<9> There's always an endless stream of low cost penetration testers. :)
<10> What do you mean by design patterns?
<12> Its a book Book 1994
<8> \zxc: these days I run mod_security on apache, ban 99.9% of bots, run iptables with only 80 and 25 ports availble
<9> inflex: Yeah, I've recently seen some nasty full "administration" scripts that have been written to exploit sites that leave holes in their fopen/include.
<2> setting allow_url_fopen to off at runtime, i can see why that should/would be possible (but of course still disallow it off-->on at runtime)
<6> If the only open ports are 80 and 25, how to get any files on the server?
<6> Er, how do you
<8> Dragnslcr: okay, I admit, I have 22 open to one IP, and only with a RSA key (no p***word)
<9> erk
<9> Hope whatever box the RSA key is stored on is secure then.
<8> my home machine, yes.
<8> double NAT'd, linux (okay, could be more secure but at least it's not Windows with IE :)
<9> haha
<13> is there a purpose for vim adding "\r" to my newlines?
<10> So theres actually no Official Valid Programming Way
<9> I just stopped someone who had RSA keys so he could conveniently access any server, and he had them on every server. Therefore if one box was compromised, they all would be.
<8> \zxc: yes, it is a risk if the key-holder machine is exploited
<8> \zxc: of course, you can do RSA + p***prhase
<9> Yeah, and all the machines were key-holders of the other machines.
<6> fleckz- you mean it's using \r\n for newlines instead of just \n ?
<9> Yep, that's what I told him to change to.
<13> DRgnslcr: yes
<12> Jthomas, if your an OO guy, it is very easy to impugn non oo guys
<10> Also another question. Is there any editor or program that I could run on my website, and it check for security holes?
<6> fleckz- on Windows?
<13> Dragnslcr: BSD
<6> Yeah, that's a really whacked setting then
<6> \r\n is what old Windows programs use for newlines
<10> Well I do use Object Oriented Programming.
<13> Do you know if there is a command I can add/take away in my vimrc to correct the problem?
<12> Not on the level of design patterns
<6> Read the vim docs
<9> Jthomas: Try #security
<8> \r\n is technically a more pedantically correct newline formation (if you look at the way typewriters do it)
<10> Thanks.
<8> as there's a "new line" motion, then you carraige-return
<13> for some reason, the
<11> inflex: typewriters/
<11> *typewriters?
<8> tecnoba: danke.
<11> that's not the reason \r\n is more correct...
<13> for some reason the \r messes up my scripts when they execute
<6> tempest1- that's where two separate characters came from
<6> fleckz- it shouldn't
<10> No one in security :(
<6> PHP should handle \r\n for newlines just fine
<11> Dragnslcr: yes, but it's not why they are used like that
<13> Dragnslcr: sh scripts
<13> bash/sh
<9> Jthomas: They usually respond if you ask a question :)
<10> Found one :-p
<6> fleckz- ah
<6> Yeah, bash doesn't like \r\n
<11> fleckz: bash scripts should simply use \n since they'll be restricted to *nix systems
<11> \n is *nix, \r is Macintosh, \r\n is windows
Return to
#php
or
Go to some related
logs:
#fedora
#php
ubuntu removing exim
#openssh
#css
mysql_fix_privilege_tables.sql Error 1046
#math
rtl8139b ubuntu
RR: authdaemon: s_connect() failed: Permission denied + maildrop
libxine libcucul
|
|