| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Comments:
<0> of fried chicken?
<1> that's it thank you
<2> I'm looking for suggestions or links concerning this problem: you've got apache with php running as nobody.You have a web app that edits a file, so the file needs to be open to nobody. A malicious user hacks your site, and messes with files owned by nobody. What can you do to allow php/apache to edit the files, without having them owned by nobody?
<2> *file needs to be _owned_ by nobody
<3> $WEATHER = str_replace("?", "°", "?");
<3> that means replace all ? with $deg; correct?
<4> Brian_S: no
<3> thats why
<4> rethink what the third arg should be
<3> I need to put the variable in the last slot
<3> $WEATHER = str_replace("?", "°", $WEATHER)
<5> scrapper, configure apache to run as www?
<5> scrapper, it looks like you're either going for a 1 in 10,000 chance, or this has actually happened to you
<2> hawkaloogie: then the files would need to be owned by www. the problem is that the malicious user exploited apache somehow, sorry I wasn't clear on that
<5> scrapper, update your apache
<2> ya, i got burned yesterday, no more sloppy permissions ;)
<4> chmod 777 -R /
<5> make sure that only the necessarily writable files are writable
<5> all other, 755
<2> philip: ha.... ha
<3> $WEATHER = str_replace("?", "°", $WEATHER);
<4> Brian_S: stop please, just ask a question
<3> that does not change the ? to ° 's
<4> it does
<3> no it don't
<3> I pan it twice now
<3> ran*
<4> look at html source
<6> Brian_S: that's bucause it's not a ?, your GUI is just showing you a ? because it doens't know what it is
<2> hawkaloogie: see, my hosting provider harps on me for having files owned by nobody, but I have to in order to have files editably through the web app. And since I make almost all the content editable, it's all wide open.
<4> ah yes
<3> how do I find out what it is so I can display it?
<2> s/editably/editable/
<5> scrapper, if the file is writable by all, it doesn't have to be owned by nobody
<5> scrapper, this also seems more of an apache / linux problem, the people in those respective channels would definately be able to help you more
<2> hawkaloogie: yes, but then my problem would be larger ;) I only make it writable to nobody, but the hacker was using the nobody account.
<2> hawkaloogie: ahh, ok
<2> thanks
<5> if you have enough control over your provider to be able to change the owner of a file, you can probably change your apache config
<2> ya I have root
<6> scrapper: are you sure it wasn't via apache but via your upload script?
<5> i'd suggest #apache
<6> or xmlrpc?
<7> howdy
<6> you need to look at what you have installed and what exploits are known for them
<2> ||cw: I'm not certain what it was, but the nature of the damage (replacing index files) seemed to indicate that he just got in as nobody and romped around the filesystem a bit. Probably a bot
<5> scrapper, does your program prevent that from happening?
<2> ||cw: we do use xmlrpc. I'll google and research the exploits.
<7> so I hear you guys are being abusive to people with female nicks
<7> for shame!
<2> hawkaloogie: theoretically, because I enclose all my form submission handling in code that checks for authorization. However, being a two person web team, we are certainly sloppy, slovenly, and stupid at times.
<2> so who knows
<0> kaylee: ...
<8> kaylee: Erm? Shame? We don't abuse anyone here, even inferior ***es.
<7> Stormchaser: should I be shaking a finger at you too? :)
<0> Lateralus: s/don't//
<7> Lateralus: it's ok, we generally understand that you can't really breath well with your head that far up your ***
<8> Stormchaser: >:D
<8> kaylee: I must admit, it does get a bit cramped at times.
<0> kaylee: Go away
<9> if i p*** in a mysqli object to a cl*** in the constructor like: function public __construct($Mysqli) { } do i have to use & or not? the thing is, p***ing by reference seems logical, and i also want the behvaiour to change inside the object if i change the mysqli object outside. so i guess & is ok? but if i p*** without &, i can't image php copying the actual object and creating a new connection.. what do you think?
<7> Lateralus: haha
<9> public function even
<10> Jax, no, you don't need to
<9> but. is this because of the type of object mysqli is? or why.. somehow php has to know when to p*** by value and when to p*** by reference..
<9> and that's not a behaviour that can be guessd
<6> Jax: is your $Mysqli an object or a resource? in php5 objects get p***ed by refernce, I don't think resources do
<11> Suppose ImageMagick is installed, does this make any sence? http://notdotnet.net/convert.php
<10> Jax, objects are p***ed/returned by reference automagically.
<9> so how can i force a p*** by value ?
<10> Jax, you'll need the keyword "clone"
<9> what about variables?
<12> Hello, someone coult tell me how could i make a sleep() in php to show me an text from 1-5 from 2 in 2 seconds
<9> they are not p***ed by reference per default i suppose.. ?
<12> i mean, i have a for, for ($i=1; $i<=5; $i++) {
<12> and here i want to show $i .. from 2 in 2 seconds
<6> Jax: correct
<8> Jax: "p*** by value"? A copy? Why do you want to receive a copy? You just said you wanted a reference.
<9> ok, so objects only?
<10> Jax, depends on what is in the variable
<6> Jax: i think so
<13> In PHP 5, objects p*** by reference, everything else by value, by default, AFAIK.
<9> good answer, thanks Crell42
<13> In PHP 4, it's all by value by default.
<0> snipey!!!
<14> is the XMLReader object able to read xml from a url?
<8> Hey snipe, been awhile :)
<8> sleek: $obj->open();
<0> Hello? Anyone there?
<15> Arvid: what happens when you copy/paste that convert line into a shell prompt?
<8> sleek: php.net/function.xmlreader-open
<16> if you have a number of values in an array such as array(2, 7, 9, 15, 22) and you want to check to see if the post data from a form matches one of those, how would you do that?
<14> Lateralus: oh, it's an rdf... maybe that's why it doesn't work
<0> DogWater: in_array
<17> How do I get rid of the need for the "php" in <?php ... ?> I didn't see it in the faq :(
<16> ahhhh
<16> i was trying all kinds of foreach crap
<16> that obviously wouldnt work
<0> ew.
<18> heya Lateralus, Stormy
<8> Korthrun: You don't.
<8> Korthrun: read php.net/langref to find out why.
<8> Korthrun: php.net/language.basix-syntac
<19> Question: is there a php function that can return what the absolute path is for the given php file?
<8> s/syntac/syntax
<0> snipe: jfarel was looking for you.... He had some questions about writing / publishing a book? don't knw...
<0> +r
<13> CEVO|Carmony: dirname(realpath(__FILE__));
<13> That will give you the real full path of the current file.
<19> Crell42L: alright, let me try that!
<0> yo, Flaming!
<17> Lateralus: that looks like I can do it....
<18> grr..... brb... birthday lunch stuff for co-worker
<0> hehe
<17> Lateralus:or are you under the ***umption that I am trying to create "portable, redistributable code"
<16> Stormchaser: if you had 128 values to check 0-127, would you put 0, 127 in the array or 0, 1, 2, 3,.. etc
<3> how can I check if a variable CONTAINS something?
<8> Korthrun: I am under the ***umption that you are a good programmer, yes. Then again, you can always prove me wrong.
<20> how do you list an objects methods?
<16> Stormchaser: I know to use in_array you must put them all in the array, but im asking what would you do
<15> Korthrun: There is a wide gap between "could" and "should".
<0> I'd use in_array
<17> Lateralus:nope, I'm more of a systems admin than a programmer :). I'm not the one coding here.
<16> so you would just create a gigantic array?
<20> nevermind found it I think, get_cl***_methods()
<17> JAJMaster:very wide, he said "you don't" I guess it's my bad for ***uming that implied "you can't"
<8> Korthrun: Don't change configuration around your stupid programmers; Fix your stupid programmers.
<17> ttfn
<14> Brian_S: strpos(), strstr()
<0> DogWater: Why? You *must* have something already to compare it with...
<14> Brian_S: ***uming it's a sring
<14> string
<17> the stupid programmers are my friends whos personal homepages I host :) I write my stuff in perl
<17> Thanks for the help though, those Docs were just what I needed
<21> anyone have good advice on which ajax toolkit they like working with php the most?
<8> riftdesign: OJOX.
<0> :)
<8> riftdesign: It's damn Web 2.0.
<16> stormchaser: if something specific happens it has to be between 0-127
<16> basically
<16> otherwise it has to be between 0-31, or 192-223
<22> Lateralus: 2.0? i'm already on 2.0.5-RC1
<21> heh
<8> caffinated: Pfft, **** you. 2.0 or bust. Oldschool, bitches.
<0> caffinated: Ha! You're lame... 2.5.11-dev here :)
<6> I've been doing "web 2.0" since 1999
<22> Lateralus: I don't want your buggy 2.0 :(
Return to
#php
or
Go to some related
logs:
ctrl-z bitchx
zaboo pastebin
#perl
#kde
.asoundrc timidity
cryonv
upgrading to glibc2.4 in debian
tinyfugue background bot
pkgsrc slackware autoconf broken
#javascript
|
|