|
I always use the colon and it works fine.
|
# ? Jan 3, 2010 14:34 |
|
|
# ? Jun 3, 2024 22:39 |
|
When using mysql_connect, is there any way to connect without having my password in the PHP files in clear text ? I'd like to maybe MD5 the password, and when mysql_connect'ing tell it to compare it with an MD5'd version of the database password. I want to do this in PHP (in my sqlconfig.php) and not in a .vhost or anything.
|
# ? Jan 4, 2010 10:17 |
|
Yossarko posted:When using mysql_connect, is there any way to connect without having my password in the PHP files in clear text ? (Also I wouldn't use MD5 for any new security-related code, best practice is to use SHA-2.) Standish fucked around with this message at 11:00 on Jan 4, 2010 |
# ? Jan 4, 2010 10:57 |
|
Yossarko posted:When using mysql_connect, is there any way to connect without having my password in the PHP files in clear text ? If you could tell the MySQL server to authenticate like that, then having the MD5 of the password would be as good as having having the plaintext one. Just keep your config files in a non-web accessible directory.
|
# ? Jan 4, 2010 11:19 |
|
Yossarko posted:When using mysql_connect, is there any way to connect without having my password in the PHP files in clear text ? Like haywire said, the best you can do is to keep the password in a file that isn't directly accessible to your site's visitors, i.e. outside of the root web directory. It should be 1) somewhere visitors to the site can't get to, 2) in a file with extension .php (the reason for 2 is in case something goes horribly wrong and visitors can somehow get to the file, they won't see the actual file content, because when they visit the page it should be parsed as PHP. This way, in order for a visitor to see the password, two things have to go wrong: the file has to be directly accessible and PHP has to be broken somehow.)
|
# ? Jan 4, 2010 13:53 |
|
I need to download a text file every 10 minutes from a remote server. What is the best way to grab the file, while ensuring that the file is not being currently written? Right now, I'm grabbing the file via PHP FTP commands and processing it.
|
# ? Jan 4, 2010 23:08 |
|
Little Brittle posted:I need to download a text file every 10 minutes from a remote server. What is the best way to grab the file, while ensuring that the file is not being currently written? Right now, I'm grabbing the file via PHP FTP commands and processing it. you can use curl, it is probably the best option for using PHP to grab anything from a remote server. You could run something on the remote server to send you the file. This would allow you to lock it while sending.
|
# ? Jan 5, 2010 00:11 |
|
DarkLotus posted:you can use curl, it is probably the best option for using PHP to grab anything from a remote server. You could run something on the remote server to send you the file. This would allow you to lock it while sending.
|
# ? Jan 5, 2010 10:15 |
|
Little Brittle posted:I'm familiar with CURL, but I don't have access to the remote server.
|
# ? Jan 5, 2010 11:07 |
|
Hope this is the right place to post this, I could really use a hand with my .htaccess file. I have a directory structure like so: code:
code:
I managed to get this to work by using the following: code:
Any help would be greatly appreciated.
|
# ? Jan 5, 2010 11:51 |
|
I don't quite understand what you want to do, but if you use the line code:
|
# ? Jan 5, 2010 12:10 |
|
DoctorScurvy posted:I don't quite understand what you want to do, but if you use the line Oh I forgot about IndexIgnore, I'll certainly throw that in there. What I am trying to do is basically route anything http://localhost/website/system/admin to the url http://localhost/website/admin/ in a horrible attempt to hide the fact that the admin folder resides inside a system folder.
|
# ? Jan 5, 2010 12:22 |
|
Little Brittle posted:I need to download a text file every 10 minutes from a remote server. What is the best way to grab the file, while ensuring that the file is not being currently written? Right now, I'm grabbing the file via PHP FTP commands and processing it. Grab the file every 5 minutes and see which is longest?
|
# ? Jan 5, 2010 15:08 |
|
I have a webpage that's suddenly giving me problems. I'm pretty sure this is correct code, but I wanted to run it by here before I contact the host to see if there's something wrong with their PHP settings. Anyway, it's a page that works as a template and includes an html file as defined in the url. I'm not really a programmer so forgive me if I'm using inadequate terminology. So, for example, the page ends up being https://www.website.com/template.php?id=23 , where "23" is actually an included html file, "23.html" Here's the code on template.php: <?php include ('./pages/'.$id.'.html'); ?> I have several files in /pages/ that are just numbers, like 16.html and 50.html. Isn't that enough? The error I always get: Warning: main(./pages/.html): failed to open stream: No such file or directory Failed opening './pages/.html' for inclusion (include_path='.:/hsphere/shared/apache/libexec/php4ext/php/') If I make an empty file named .html and put it in the pages directory, that blank loads fine but nothing else will. Then, even a url like template.php?id=10 will just load the blank .html file. So, it seems like it's not realizing that $id is supposed to be supplied by the url, like template.php?id=23 . On another page, I have a randomizer that works with basically the same concept and functions fine: <?php srand((double)microtime()*1000000); $num = rand(1,25); include ('./pages/random/'.$num.'.html'); ?> Do I need to define "id" within the <?php ?> tags on the page, as is done with the randomizer code? I thought that by having ?id=XX in the url, it is defining the id that way. If it's not the code, what would I tell the webhost to look at in its PHP settings?
|
# ? Jan 5, 2010 19:39 |
|
LifeSizePotato posted:I have a webpage that's suddenly giving me problems. I'm pretty sure this is correct code, but I wanted to run it by here before I contact the host to see if there's something wrong with their PHP settings. Parameters in the URL are inside the $_GET array. So for that, you would replace $id with $_GET['id']. And then of course there's all the attendant security issues with that.
|
# ? Jan 5, 2010 20:16 |
|
Golbez posted:Parameters in the URL are inside the $_GET array. So for that, you would replace $id with $_GET['id']. And then of course there's all the attendant security issues with that. To clarify this a bit, and explain WHY it stopped working: Your host did in fact change some php settings, namely, turning 'register globals' OFF, which means that you have to define variables that come in via the URL or through forms (via GET[] or POST[] respectively). The way you have things set up now, there's a huge potential for a security breach, if someone manages to so something like https://www.example.com/template.php?id=hackers.php they could cause the server to run hackers.php, or feasibly any file and thus gain access to the code and server itself, which would mean your site is hosed.
|
# ? Jan 5, 2010 20:46 |
|
Golbez posted:And then of course there's all the attendant security issues with that. Assuming the pattern holds and all of them are ##.html, he could use php:<? echo file_get_contents('./pages/'.abs(intval($_GET['id'])).'.html', FILE_TEXT); ?> Munkeymon fucked around with this message at 20:51 on Jan 5, 2010 |
# ? Jan 5, 2010 20:48 |
|
Can I put in an .htaccess file "register globals on"? So would it be better to use the $_GET methodology, or are you saying that that's the bad way? ^^^^^^^^^^^^^^^^^^^^^ EDIT: I tried that code, but I get the error: Warning: file_get_contents(./pages/83009.html): failed to open stream: No such file or directory in /hsphere/local/home/etc So it looks like it's getting the gist of what I want to do, but it's thinking that file_get_contents is part of the file name? LifeSizePotato fucked around with this message at 20:57 on Jan 5, 2010 |
# ? Jan 5, 2010 20:50 |
|
LifeSizePotato posted:Can I put in an .htaccess file "register globals on"? I don't know. I don't think so, as (from my understanding) .htaccess controls the behaviour of Apache, which is separate from PHP. It might be possible to change this behaviour by editing php.ini, if your webhost allows you to do that. I don't know whether this behaviour can be changed that way or not. My understanding is that register globals is heavily discouraged, because it represents a security risk - on any page where you use a variable and you've forgotten to make sure it's initialised first, a user can cause a script to behave differently to how you expect. It seems odd to me that your host disabled a setting like that without notifying its customers via email or something. Are you using a commercial host? quote:So would it be better to use the $_GET methodology, or are you saying that that's the bad way? Replacing the code you quoted in template.php with the following should do you ok code:
|
# ? Jan 5, 2010 21:01 |
|
LifeSizePotato posted:Can I put in an .htaccess file "register globals on"? It's telling you it can't find './pages/83009.html' - try adding the option FILE_USE_INCLUDE_PATH. The end of the line should look like this instead (note the pipe) , FILE_TEXT | FILE_USE_INCLUDE_PATH); Edit: if you're counting on PHP tags in the HTMl to get processed, then forget file_get_contents and go back to using include (without the echo), but be aware that it's a security risk if users can write anything to these HTML files! Munkeymon fucked around with this message at 21:11 on Jan 5, 2010 |
# ? Jan 5, 2010 21:08 |
|
Hammerite posted:
This worked! I did discover that it's not registering an initial zero in the filenames, though. Since a lot of the document filenames are based on dates, I have some like 083008 (August 30, 2008) and it was trying to load 83008. That was causing some of the errors, so I guess I'll need to rename those files.
|
# ? Jan 5, 2010 21:33 |
|
LifeSizePotato posted:On another page, I have a randomizer that works with basically the same concept and functions fine: readfile('./pages/random/'.rand(1,25).'.html'); The reason I use readfile instead of include is that this will prevent any php code in the html file from being run. You just want to spit out the page content without running it as if it were a php script, right?
|
# ? Jan 5, 2010 22:42 |
|
DoctorScurvy posted:With modern php (version 4.2.0 and up) you don't need to worry about using srand. That's right. The actual pages it calls are really just simple text for the most part, like articles, and the template's CSS formats it.
|
# ? Jan 5, 2010 23:05 |
|
DoctorScurvy posted:If you don't have access to the remote server, then how on earth are you getting the file now?
|
# ? Jan 6, 2010 01:48 |
|
In that case as far I as know you can't do anything more than download, and inspect the filesize for any obvious discrepancy like 1/3 the size you expect or some such. If its a standardised format you're expecting each time, validating the file is complete and in the right format is another option. Other than that you're relying on whatever they use at the far end using sensible exclusive locking while it writes the file. Which if its a 'proper' program, not some hacked up PHP or PERL it will be, and if its well hacked up PHP or PERL it also will be. If its seriously just a chucked together badly written script writing this and its not locking at their end, then all you can do is suffer through
|
# ? Jan 6, 2010 02:47 |
|
Just keep downloading it over and over until the file is the same twice in a row then sleep for ten minutes
|
# ? Jan 6, 2010 03:24 |
|
Little Brittle posted:I'm familiar with CURL, but I don't have access to the remote server. It is ran by a vendor and all they offer is this text file that updates at 10 minute intervals. I just want to find a way to be sure I don't grab an incomplete file. Is this a problem you've already experienced, or are you just worried about the possibility? If it's actually possible for you to download an incomplete version of the file while the provider's in the middle of writing it, the provider is doing something hilariously wrong.
|
# ? Jan 6, 2010 05:07 |
|
When you do a GET on any file, a sane web server will open the file and hold onto that file descriptor and fread()s the gently caress out of it. Saving over a file on a sane OS will unlink that filename and then save a new file with that filename. There is probably no way you'd ever get an incorrect/incomplete file unless the people providing this service are brain dead.
|
# ? Jan 7, 2010 02:42 |
|
DaTroof posted:Is this a problem you've already experienced, or are you just worried about the possibility? If it's actually possible for you to download an incomplete version of the file while the provider's in the middle of writing it, the provider is doing something hilariously wrong. waffle iron posted:When you do a GET on any file, a sane web server will open the file and hold onto that file descriptor and fread()s the gently caress out of it. Saving over a file on a sane OS will unlink that filename and then save a new file with that filename. There is probably no way you'd ever get an incorrect/incomplete file unless the people providing this service are brain dead. This is what I was hoping to hear. I'm more of a frontend guy and don't know too much about filesystems. I guess my worries were completely unfounded if the service provider did things correctly.
|
# ? Jan 7, 2010 09:30 |
|
Generally it is a pretty bad idea to include directly from the $_GET because it opens your site to a whole host of security issues.
|
# ? Jan 7, 2010 20:40 |
|
SERIOUSLY CONFUSED BY QUOTE AND EDIT
|
# ? Jan 7, 2010 21:48 |
|
Oh ok. I wouldn't go to that trouble. You could instead do the followingcode:
* It occurred to me also that there should really be a line of code here that checks whether the requested page actually exists, and just gives an error page in response if it doesn't. Otherwise what will happen if the file isn't there is PHP will give an error message of its own, which will look much more crude to your users. Hammerite fucked around with this message at 21:53 on Jan 7, 2010 |
# ? Jan 7, 2010 21:49 |
|
Hammerite posted:Oh ok. I wouldn't go to that trouble. You could instead do the following Are you really casting it to a string then checking against an array of strings that happen to also be the digits 0 - 9 to check to see if the input is a number?
|
# ? Jan 8, 2010 01:02 |
|
Lumpy posted:Are you really casting it to a string then checking against an array of strings that happen to also be the digits 0 - 9 to check to see if the input is a number?
|
# ? Jan 8, 2010 02:04 |
|
'x' == 0 evaluates to false. Also, isNumeric() is a good function.
|
# ? Jan 8, 2010 02:13 |
|
1: (int)$_GET['id']; this will force the value to be an int leading zeros will be an issue if you do this 2: === tests for equal value and SAME TYPE this is why if($x === FALSE) is better than if(!$x) huge amounts of the PHP library use this to allow the functions to return either data or boolean FALSE, so you should know how to test for that explicitly 3: define('VALID_CHARS', '0123456789'); $suspect_data = 'whatever it may be'; if(str_replace(explode('', VALID_CHARS), '', $suspect_data) !== '') { // the suspect data contains invalid characters! } is a general 'accept only these characters, but any length and any permutation' recipe. simply replace all the valid chars and if ANYTHING is left, its invalid Edit: made typing boo boos Edit 2: also from 4.30 upwards, ctype_digit, ctype_alpha and ctype_alnum are available (my friggery above is really only suitable for weird subsets of characters, not for 'is all digits' etc lastly; its actually is_numeric not isNumeric KuruMonkey fucked around with this message at 02:34 on Jan 8, 2010 |
# ? Jan 8, 2010 02:17 |
|
Hammerite posted:That's right. The reason I'm doing something so convoluted is because I wasn't sure what behaviour PHP exhibits if you ask it whether a non-numeric single-character string is equal in value to integer zero. i.e. I wasn't sure whether for example 'X' == 0 or '.' == 0 evaluate to true or false. I wanted to make sure only digits can get through. While the code I posted is rather stupid, I believe it's secure. I didn't want to post insecure code for the guy. As I mentioned, if I could have been bothered to look up the right way to do it with a regex I would have done that instead. php:<? if(preg_match('/^\d+$/', $_GET['id']) ) { // hooray! } ?>
|
# ? Jan 8, 2010 03:27 |
|
Lumpy posted:
I could find out about ^ and $ in regular characters on the internet, but I vaguely recalled that in some implementations / in some modes, they'll match at newlines as well as at the start and end of the string. I might have been mistaken in that recollection, but at any rate I was unsure of the safety of using them in that way. And it's better to have code that looks ridiculous but is secure than to have code that is insecure. Also, yes I should just have used is_Numeric or whatever it is called. Thanks for the heads-up. Also - explode() doesn't work if the first argument is an empty string, you need to use str_split() for that
|
# ? Jan 8, 2010 03:54 |
|
OK, so it turns out /\A\d+\Z/ would have satisfied my paranoia.
|
# ? Jan 8, 2010 03:59 |
|
|
# ? Jun 3, 2024 22:39 |
|
Hammerite posted:Also - explode() doesn't work if the first argument is an empty string, you need to use str_split() for that Well gently caress me; you're right. [puzzled look] I'm sure I've used that before. More than once.
|
# ? Jan 8, 2010 10:24 |