| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
Comments:
<kuja> Weird.
<kuja> It's quite amazing how people often mistake ##php for Google. But the weirdest part is, they mistakengly click <IRC Client>/FreeNode/##php instead of <Browser>/google.com
<LarsK> CryWolf: I tried to make a array: http://www.phpriot.com/2804, but it did'nt work
<BarnacleBob> outofjungle, now that i check they all work + one more works. PHP_SELF, SCRIPT_NAME, SCRIPT_FILENAME, PATH_TRANSLATED
<outofjungle> BarnacleBob: thanks, but it does not work for me though. maybe, i need to re-compile with some flags turned on
<BarnacleBob> outofjungle, i doubt it. make a test file with just print_r($GLOBALS); in it and see what comes up
<Kcaj> $result3 = mysql_query('SELECT * FROM _install ORDER BY instid DESC LIMIT 1');
<Kcaj> Err
<Kcaj> whats wrong with that?
<Kcaj> Syntax-wise?
<boneill> select * is evil
<BarnacleBob> boneill, what if you want all the fields?
<Kcaj> Like in my instance
<boneill> you type all the names of the fields out in your query
<BarnacleBob> now thats evil
<BarnacleBob> some of my tables have 40 fields in them
<boneill> yup
<boneill> some have hundreds :)
<BarnacleBob> so why do you say that?
<GarethAdams> BarnacleBob: why don't you have a framework which builds your queries for you?
<BarnacleBob> i've never heard such things from the people in #sql
<GarethAdams> would save a lot of time with 40 field tables
<outofjungle> BarnacleBob: nothing :( . my php -v says its (cgi)
<BarnacleBob> GarethAdams, i started writing one but lost interest :)
<GarethAdams> don't write your own
<GarethAdams> there's plenty out there
<Ceran> BarnacleBob: I'm with you. select * is a invaluable.
<BarnacleBob> outofjungle, no just run php -f file.php
<BarnacleBob> GarethAdams, eh i like writing my own
<outofjungle> BarnacleBob: nothing again.
<BarnacleBob> outofjungle, and in that file.php you put <?PHP print_r($GLOBALS);?>
<boneill> Kcaj: syntax wise probably nothing, this isn't #mysql tho ;)
<BarnacleBob> right?
<outofjungle> BarnacleBob: sorry, my bad. just a sec
<boneill> BarnacleBob: http://www.parseerror.com/sql/select*isevil.html
<Vooloo> I have replaced my mailform script with preg_replace to get rid of the spam, but somehow I am still getting it... $Name = preg_replace('/[\n|\r].*/', '', $Name); this is what I have.. I also have a textarea field, but I'm not replacing anything in that one.. is that the problem?
<_DeXteR_> rrrrrrrrrrrrrrrr
<_DeXteR_> Poison3R,
<_DeXteR_> :)
<outofjungle> BarnacleBob: thanks, it works for php4 (cli) mode, but i have to figure out why thos variable is empty on php5 (cgi)
<Poison3R> _DeXteR_: ko
<_DeXteR_> toq server
<BarnacleBob> boneill, lol actually most of my queries dont use * because of those reason listed :) i rarely need everything there is just one place where i do a * and the results get printed out exactly the way they are in the database :)
<_DeXteR_> bylgarski li e ?
<roychri> Vooloo: You are attempting to reduce the spam to zero by putting a regular expression in a php sript on you site?
<Poison3R> _DeXteR_: neee
<BarnacleBob> outofjungle, what variable are you trying to use?
<_DeXteR_> az sym ot Linux-bg.org ;)
<_DeXteR_> vidqh go na podpisa ti :)P
<Vooloo> roychri: no just the bcc and cc spam you know
<outofjungle> BarnacleBob: $_SERVER['PHP_SELF']
<GarethAdams> roychri: he's replaced the mailform with a regex
<GarethAdams> since a regex can't send mail, no more spam!
<BarnacleBob> outofjungle, thats odd that works for my php5
<Vooloo> the script works and all, but how do I know if it also sends it to bcc ?
<roychri> Vooloo: Once you email address is in spammer's database, no php script will get your email removed from it.
<outofjungle> BarnacleBob: it does not work on php5
<Vooloo> roychri: it isnt
<roychri> Vooloo: check the mail server log to see if the mail get sent to all places.
<roychri> Vooloo: Or put one of your other email in the Cc and see if you get it twice.
<outofjungle> BarnacleBob: let me try on php5 (cli) and see what i get
<Vooloo> I don't know how to perform the injection attack so I can't try :x
<roychri> oh, I think I get it. You want to prevent spammers to use your script to send out spam?
<BarnacleBob> outofjungle, php -f test.php && cat test.php
<BarnacleBob> $_SERVER["PHP_SELF"]=test.php<?="\$_SERVER[\"PHP_SELF\"]=".$_SERVER["PHP_SELF"];?>
<Vooloo> roychri: bingo..
<killer-instinct> if I was processing $_SESSION['items'];
<killer-instinct> how can I clear that out to be nonexistant to restart a wizard
<john76> anyone know of a quick way to list the contents of a local directory on the server
<boneill> unset ?
<roychri> Vooloo: Maybe your regular expression is not enogh, It depends on the tool you use to send the email.
<Vooloo> roychri: well it's just a script sending mail()
<outofjungle> BarnacleBob: found it. the $_SERVER["PHP_SELF"] does not work on my PHP5 CGI installation. i have it CGI 'casue i have both php4 installed on this machine for testing
<boneill> john76: look at the opendir function in the manual
<roychri> Vooloo: Make sure the destination email does not contains a coma "," and make sure it's only an email that you know is valid.
<outofjungle> BarnacleBob: but it does work just fine on PHP5 cli on my production machines
<john76> k
<outofjungle> BarnacleBob: thanks a lot
<roychri> If you hardcode the destination email in the php script, then you should be fine.
<BarnacleBob> outofjungle, ack i'm sorry i must have missed the cgi i thought you were talking about cli. my bad
<Vooloo> roychri: the email is hardcoded in the script.. but I still get content mime typ emails to the target email with injections to other bcc/cc emails
<Psi-Jack> Anyone here used Net_IMAP at all from PEAR?
<Vooloo> does textarea reproduce \n or \r ?
<Psi-Jack> Everytime I try to use it, I get, at the end of the execution of my script: Fatal error: Cannot use object of type PEAR_Error as array in /usr/share/php/Net/IMAP.php on line 180
<awormus> Psi-Jack: ask in #pear on EFnet
<boneill> Vooloo: depends on how you've done your textarea
<Psi-Jack> awormus: I fricken hate efnet, though. :(
<roychri> Vooloo: In my experience, the textarea newline depends on the OS of the client.
<BarnacleBob> Vooloo, on windows i know it produces \r\n's not sure about *nix browsers or on mac's tho
<Vooloo> boneill: what do you mean how?
<outofjungle> BarnacleBob: sorry, i didnt capitalize the CGI until the end. so, why is it different in CGI? can i read about it someplace to know more?
<boneill> oh \n or \r, sorry misread
<awormus> Psi-Jack: you won't get help here :)
<mfonda> Psi-Jack, sounds to be like something you are doing is causing a PEAR_Error to be returned instead of whats expected. Try print_r() the object which is an error and see what the error is
<roychri> Vooloo: I would need to review your script to be able to help you more here.
<mattmcc> Psi-Jack: You may find PEAR::isError() a useful check.
<Vooloo> found an article now: http://securephp.damonkohler.com/index.php/Email_Injection
<Psi-Jack> mfonda: Heh, you know what's odd? All I'm doing it using Net_Cyrus, which extends Net_IMAP, and using getHierarchyDelimiter() from Net_Cyrus, and then closing the imap connection. That's it.
<BarnacleBob> outofjungle, i remember reading about it somewhere. let me see if i can find it
<mfonda> Psi-Jack, I have used either, but what I mentioned is a typical debugging step when you encounter your problem
<Vooloo> roychri: I want to change the script to something more flexible and better, just don't know which ones that are secure that I find on the web :E like this one looks good: http://www.datahelper.com/mailform_demo.phtml but is it secure from email injection?
<PHP-Coder2> Evening all :)
<Psi-Jack> mfonda: Hmm. OKayt, so what am I supposed to print_r of?
<PHP-Coder2> Does PHP have a option to read in a remote file and determine it's file/date time ?
<mfonda> Psi-Jack, Cannot use object of type PEAR_Error as array in /usr/share/php/Net/IMAP.php on line 180
<mfonda> Psi-Jack, whatever that variable is
<roychri> Vooloo: Checking for \n OR \r in the "from" value should be good enough then. If you see one of them, bail out.
<roychri> Vooloo: The real secret here is to validate EVERY single input value.
<PHP-Coder2> Anyone ?
<outofjungle> BarnacleBob: thanks a lot :)
<Vooloo> roychri: what about textarea
<Vooloo> ?
<BarnacleBob> outofjungle, i'm not sure where i read it but i would start here looking for it http://us2.php.net/manual/en/reserved.variables.php#reserved.variables.server
<Vooloo> it would always contain \r and \n..
<boneill> PHP-Coder2: You could look for modified headers
<PHP-Coder2> boneill, this is my idea
<roychri> PHP-Coder2: depends on the protocol used. I've seen some wihch gives you that info. However, some protocol can fake that valye.
<PHP-Coder2> I want to get a image from my local disk
<PHP-Coder2> and place it onto a Linux machine
<LarsK> Hi! Can somebody help me with this script? http://www.phpriot.com/2805 (updated info)
<BarnacleBob> Vooloo, if a mac user submits it it could be just \r, if unix it could be just \n, if windows it could be \r\n i would plan for all of them
<PHP-Coder2> keeping the original Create tdate/time
<Vooloo> BarnacleBob: yeah but do you think it could be used to inject like that, or is it only input fields?
<itrebal> might anyone know about the Difference Engine, by Babbage?
<roundyz> fgets($openlog, 4096);
<Xyphoid> you want help programming one?
<outofjungle> BarnacleBob: thanks again
<roundyz> whats the number mean on this php file command?
<PHP-Coder2> Because I want to use those values to be displayed on the page
<roychri> Vooloo: you should validate all input field. the hard part is knowing which caracters/values/strings could be bad.
<BarnacleBob> Vooloo, inject? like from a security standpoint i have no idea, i thought you were talking about it from a just resulting text point of view
<mfonda> itrebal, maybe http://en.wikipedia.org/wiki/Difference_engine or maybe #math
<AcidReign> roundyz: get up to 4KB
<PHP-Coder2> and I keep getting a read error or a execution error
<AcidReign> roundyz: its the maximum number of bytes returned of no newline is found
<roundyz> can you chang eit so it says how many lines to get instead?
<AcidReign> roundyz: no
<AcidReign> roundyz: that function returns one line (or max bytes)
<AcidReign> roundyz: if you want more than one line, use a loop
<roundyz> ok sort of like ?
<BarnacleBob> or file_get_contents :)
<kerp> Could anyone recommend some PHP development companies to me? Or at least a place to look for some? I would appreciate it, thanks. :) (I apologize if asking this is against the rules, I read the guidelines and did not see anything about this.)
<roundyz> ok whats feof ?
<AcidReign> roundyz: it tells if the file pointer as at the 'end of file'
<Akuma_> is anyone familiar with PEAR::HTML_QuickForm ? There's no answer in #pear. It's a very quick question - http://pastebin.com/575407
<BarnacleBob> endoffile roundyz
<roundyz> ok, so how would i add that to a loop?
<itrebal> mfonda: thanks
<mfonda> Akuma_, try the PEAR mailing list
<roundyz> would it be better to use a if loop?
<roundyz> or a while loop?
Return to
#php
or
Go to some related
logs:
ubuntu ATI Technologies, Inc. Rage 128 Pro Ultra TF
firefox bonjour plugin
#fedora
#centos
'googleearth-4_beta' is not a valid package atom.
#physics
#gentoo
ping: sendmsg: No buffer space available knoppix
pass a variable to dos in perl
#ubuntu
|
|
