|
DarkLotus posted:I've been dreaming up a side project that will need to parse different languages (css, html, php, python, java, etc...). Instead of reinventing the wheel, do you have any examples of these parsers you speak of? I haven't tried any personally but I'm in the process of checking some out myself and there's hundreds to choose from. https://github.com/search?q=syntax+highlighter&ref=cmdform is a good place to start.
|
#
?
Apr 12, 2013 19:56
|
|
|
|
| # ? May 15, 2024 10:06 |
|
|
I'm looking at building a multi-room AJAX chat system from scratch in PHP that needs to support 500+ logged in users, and it might need to scale past that. I'm not opposed to doing it in another language or using an off-the-shelf library, but I have a decent level of confidence in PHPs ability to handle the load. It needs to be web-based, and it needs to be relatively custom so using something off the shelf probably wouldn't work. Fortunately this system will be closed/subscription only and DoS attacks are not likely to be a problem. I have built an AJAX chat app before so I am somewhat familiar with the territory. I'm in the early research stages now and I'm trying to figure out the best way to build it out. My primary concern is with scaling and client polling. My thought was to use WebSockets and then fall back to 1s AJAX polling intervals for older browsers. Since this needs to scale into the future, WebSockets-capable browsers will be increasing over time. My other thought is that I can monitor server response times and store the data in a small (memory?) db and then use this information to tell the browsers what refresh interval to use. This way it can scale somewhat automatically somewhat gracefully. I was also thinking it would make sense to build out the app so that it can be load-balanced across a few boxes if need be. Does this method sound like it would scale? Are there any architectural gotchas I need to think about? Synchronicity issues that might come up using loadbalanced web servers?
|
|
#
?
Apr 14, 2013 16:22
|
|
|
SimonNotGarfunkel posted:Having been pretty impressed with CI as a newcomer to frameworks in the last few months, and then being overwhelmed with Symfony2 I've finally landed on Laravel 4 Beta and really love it. I've been hesitant to go to the 4 Beta, but I loving love Laravel.
|
|
#
?
Apr 14, 2013 17:54
|
|
|
revmoo posted:I'm looking at building a multi-room AJAX chat system from scratch in PHP that needs to support 500+ logged in users, and it might need to scale past that. [...] My primary concern is with scaling and client polling. My thought was to use WebSockets and then fall back to 1s AJAX polling intervals for older browsers. This is the right approach, but PHP is the wrong environment to do websockets in, and up to 500 clients is going to utterly murder the machine under the weight of 500 PHP processes. Give some serious thought to Node.js for this task.
|
|
#
?
Apr 14, 2013 18:34
|
|
|
Cartesian_Duelist posted:I've been hesitant to go to the 4 Beta, but I loving love Laravel. It's been pretty drat stable for me personally. And that 6 months was meant to be 6 weeks. It's due in May I believe.
|
|
#
?
Apr 15, 2013 00:06
|
|
|
Hello all, I guess this is more of a SQL question than PHP but I didn't see a thread for that and I thought this thread's audience would be best able to answer. I am currently working on a PHP boardgame, it's my first full PHP project and I'm somewhat of a novice. I have the game logic worked out, as in I can hard code a game state and display it. Now I'm moving towards turning this into a real web app. My question is, what would be the best way to store my game board instances in my DB? Each game started by a user has a board which is a 10 x 10 board of cells, each of these 100 cells would contain info as far as who owns the cell and if the cell is a winner. I have a basic understanding of SQL but I have no idea how I would store 100 cells per game board in SQL. Can anybody point me in the right direction to do this? Edit: Hurr, I guess there is a database/sql thread, posting this there to. Ninja Dan fucked around with this message at 21:08 on Apr 15, 2013 |
|
#
?
Apr 15, 2013 21:03
|
|
|
Ninja Dan posted:Hello all, I guess this is more of a SQL question than PHP but I didn't see a thread for that and I thought this thread's audience would be best able to answer. I am currently working on a PHP boardgame, it's my first full PHP project and I'm somewhat of a novice. I have the game logic worked out, as in I can hard code a game state and display it. Now I'm moving towards turning this into a real web app. Basically, you'd be doing a table for: 1) Each Table - ID - User ID who started the game - Title (possibly) - Timestamps (updated and created) 2) Each user - ID - Name - Hashed and salted password - Timestamps - Any other info such as email 3) Each cell - ID - Game ID - Cell state (winner/loser) - Owner ID You always want to limit your fields to one piece of data per field, no more. Once the game is complete, you're going to want to run database cleanup of some kind as well, so your tables don't get enormous.
|
|
#
?
Apr 15, 2013 21:12
|
|
|
Cartesian_Duelist posted:Basically, you'd be doing a table for: Awesome, this is just what I needed. Basically what I would be doing is creating a game, then as the cells for that game are claimed I could create an entry for that cell containing the game's ID and cell's coordinates; then whenever the game is loaded query all cells containing that game's IDs and assume any unrepresented cells are unclaimed?
|
|
#
?
Apr 15, 2013 23:01
|
|
|
Ninja Dan posted:Awesome, this is just what I needed. Basically what I would be doing is creating a game, then as the cells for that game are claimed I could create an entry for that cell containing the game's ID and cell's coordinates; then whenever the game is loaded query all cells containing that game's IDs and assume any unrepresented cells are unclaimed? You've got it.
|
|
#
?
Apr 16, 2013 01:50
|
|
|
Does anyone know why my php textarea form will not pass '<str:' throug, but if it is '< str:' it will. When '<str:' is passed the variable will be null. code:php:<? submitQuery.php $Code == $_POST['Code']; ?>
|
|
#
?
Apr 16, 2013 19:23
|
|
|
Be sure that you're using htmlspecialchars() when outputting because <str: might make a web browser try to interpret it as HTML. If that doesn't help, does var_dump($_POST) show anything? What if you add other inputs to the form? Have you checked your browser request and made sure it's going through?
|
|
#
?
Apr 17, 2013 04:31
|
|
|
Zamujasa posted:Be sure that you're using htmlspecialchars() when outputting because <str: might make a web browser try to interpret it as HTML. Thanks for the information, performing $Code = htmlspecialchars($_POST['Code']); seemed to obtain the entire string when I passed through Flex code similar to below. code:
|
|
#
?
Apr 17, 2013 16:31
|
|
|
However if I pass through java docs into that variable it will be null if obtained with code:
|
|
#
?
Apr 17, 2013 16:34
|
|
|
Is it actually null or just not visible? it would be rare for htmlspecialchars to return null as it's essentially a string replace. Without knowing the string or exact code youre using its a bit hard to diagnose, but try something like the following as Zamujasa suggested: php:<? var_dump($_POST); $code = htmlspecialchars($_POST['Code']); var_dump($code); ?>
|
|
#
?
Apr 17, 2013 22:43
|
|
|
Any recommendations for an SMS Gateway service? Can anyone explain how SMS services work? How do companies get their own number to send and receive SMS messages? I'm looking into some options for sending SMS messages via a PHP API preferably.
|
|
#
?
Apr 20, 2013 01:31
|
|
|
mooky posted:Any recommendations for an SMS Gateway service? Twilio is definitely an option. Are you looking for a shortcode or just a way to send messages via an API?
|
|
#
?
Apr 20, 2013 02:08
|
|
|
Fluue posted:Twilio is definitely an option. Are you looking for a shortcode or just a way to send messages via an API? I want to use it to send notifications to users regarding their account. An opt-in SMS message option. I don't know if I would ever need a reason to have a dedicated number/address to receive messages but it might help if my users knew the number that SMS numbers would be sent from. What do you mean by shortcode? php API would be best, even if they don't have a published php library, I can code one myself.
|
|
#
?
Apr 20, 2013 02:48
|
|
|
mooky posted:I want to use it to send notifications to users regarding their account. An opt-in SMS message option. Twilio can give you a dedicated number starting at $1 a month. A shortcode is a four-to-five-digit number you can use for SMS instead of a phone number, like the ones American Idol uses for voting. They start around $1000 a month. There's a PHP SDK for the Twilio API. Very easy to use. I got a trial account and had a demo app working in a few hours.
|
|
#
?
Apr 20, 2013 03:29
|
|
|
mooky posted:I want to use it to send notifications to users regarding their account. An opt-in SMS message option. You can use Amazon SNS for this as well. They have a way to subscribe a phone number(multiple if you wish, as well as email addresses) to a feed of sorts that you can publish to. When you publish to this feed it will notify all subscribed entities (email, sms) via the appropriate channel. You don't get your own # (I don't think)- it comes from a specific Amazon shortcode it seems. But, they handle all of the opt-in logic (sends a text where the user has to say OK to the subscription, etc). They definitely have an API as well, but I've only used it via rails. I'm sure you could use PHP too. e: shortcode = short 5 digit number instead of a full 10 digit phone number, the kind you see in many promos these days. DankTamagachi fucked around with this message at 21:05 on Apr 20, 2013 |
|
#
?
Apr 20, 2013 20:48
|
|
|
I am trying to avoid making too many database calls in this piece of code. I have an integer that corresponds to a string value, so I figure enumerations would work well. However is there a way to get the string value of the enum without looping through everytime. php:<?
class Enum {
const Java = '0';
const Flex = '1';
}
?>php:<?
//hopfully would output 'Java'
echo Enum::${0};
?>"Access to undeclared static property" I guess i could store these all in an associative array, just figured this is what enumerations are for DholmbladRU fucked around with this message at 17:56 on Apr 24, 2013 |
|
#
?
Apr 24, 2013 17:49
|
|
|
You should be able to use the constant() function to pull that off. Class constants are still constants. However, quote:I am trying to avoid making too many database calls in this piece of code.
|
|
#
?
Apr 24, 2013 18:30
|
|
|
how do you access it with constant() method, every time I try I get error messages constant(classNm:: int); always throws parse error
|
|
#
?
Apr 24, 2013 20:52
|
|
|
Pass it as a string. echo constant('Enum::' . $foo);
|
|
#
?
Apr 24, 2013 21:08
|
|
|
this? constant('Enum::' . 0);
|
|
#
?
Apr 24, 2013 23:14
|
|
|
PHP does not have enums as a native type. You have to create some magic for it to work that way. To get that constant variable's name by its position in the class, you could use reflection or you could implement some crazy classes to extend like this guy for enum behavior edit: looks like there might be an extension for enum http://us2.php.net/manual/en/class.splenum.php edit 2: to clarify, I agree with the post below this one recommending to just use an array 486 fucked around with this message at 01:10 on Apr 25, 2013 |
|
#
?
Apr 24, 2013 23:40
|
|
|
DholmbladRU posted:this? Oh. No, you can't use numbers as the first character in any PHP identifier, including constants. Honestly you're better off not trying to do the thing you're trying to do. If you want a simple lookup mechanism, use an array, that's what they're for. I advise against trying the enum extension or the wacky class-based thing linked above.
|
|
#
?
Apr 25, 2013 00:28
|
|
|
So is PHPUnit what everyone uses for unit tests or is there something better out there?
|
|
#
?
Apr 25, 2013 20:36
|
|
|
PHPUnit is what everyone's pretty much standardized on. There are a few alternatives, like Behat (BDD-oriented) and SimpleTest.
|
|
#
?
Apr 25, 2013 20:51
|
|
|
I'm writing a php app and want to track changes that a user makes. An example could be a user management system where a user can modify his own records and with proper permissions, records of other users. He might also be able to add and remove contacts or groups and assign users to groups. What is the best way to log what changes a user has made within your php app? The main goal is to be able to find all changes a user has made, but at the same time track changes made to an object such as a user or group. The logs / audit trail will be user viewable, so the something human readable is required (User Joe (ID 1234) changed Group Test (ID 5678) on 2013-04-26 09:03:24) - it may be useful to also track what was changed exactly, not just who changed what. Is there an existing class or set of functions and database schema for this type of thing? Is there a good example that I can follow? I'm open to any and all suggestions.
|
|
#
?
Apr 26, 2013 17:06
|
|
|
mooky posted:I'm writing a php app and want to track changes that a user makes. I would look into something like an Event Dispatcher - https://packagist.org/packages/symfony/event-dispatcher That way you can register events for common actions, and then dispatch them whenever that action is performed. If you need _really_ fine grained audit logs, you can make a trigger on your database that stores what exact user makes inserts, updates, and deletes on different tables - http://wiki.postgresql.org/wiki/Audit_trigger Of course, that could be overkill and that table could grow quite large very quickly.
|
|
#
?
Apr 26, 2013 18:51
|
|
|
You aren't going to find much premade that will pull this off. There are a few approaches you can take. The "easiest" is going to be adding a trigger to each table you're updating that records the "before" state of each row in a dedicated per-table log table. You'll need to add things like a request ID, or always record user and timestamp with each logged table. Building the UI will be more complex here, as you'd only get a record of what data was changed. This is considered "easy" because it requires few, if any, changes to your application. The second approach will only work if you have a multi-tier application with a data access layer following, say, the Data Mapper pattern. The layer could take the object it needs to persist and compare it to the last loaded instance of the object, then log the differences. There are between zero and no PHP applications in the entire world that are architected obsessively enough to actually pull this off without extreme pain. The third approach is going to be the most time consuming, yet simple and straightforward. At every point where you process changes and update the database, you manually, by hand, record the changed data. This gives you the opportunity to create custom messages, user friendly bits, include or exclude certain fields, etc. It has the most places that can go wrong, but also gives you the greatest flexibility with regards to what gets recorded, when it gets recorded, and how it gets recorded. We opted for the first option when we needed similar functionality, because we had previously done the third option and it sucked hard.
|
|
#
?
Apr 26, 2013 18:52
|
|
|
Thanks for the replies. I really want to focus on the end result which is list of actions performed by a user recorded in a readable format. Triggers would be the easiest to implement but would by no means be readable by the average user. It sounds like the best way is to really just log the activity as it happens in a format that I control. Thanks for the suggestions, I'll see what I can do. In my searching, there doesn't really appear to be a best practice for this type of thing but lots of people seem to suggest either mysql triggers or manually recording the changes in a activity log or user log table.
|
|
#
?
Apr 26, 2013 19:32
|
|
|
I have a problem. I've got a new job where I'm maintaining this utterly *ancient* piece of code , like 12 years old and as many years of haphazard patching leaving a bloody awful website based on table layouts (  ) , magic quotes, get variables coming in via some sort of magic and so on.The dude however believes that the code is SUPER SECURE because the guy who wrote it was an ENGINEER. Its loving awful. I've found a number of SQL injections, but it seems at some point the guy decided to use htmlentities as his cleaning mechanism for sql. My gut instinct tells me this is wrong, but I'm not entirely sure how to exploit it. There is THIS clanger however PHP code:so duckmonster@magicalwebsite.com becomes /usr/bin/nslookup magicalwebsite.com If it returns with the word NXDOMAIN anywhere, it means the domain isn't real and its not a real email address. This is borked. But I need to prove it. I had him leaning over with me fuming about this insane code as I tried to exploit it using stuff like duckmonster@magicalwebsite.com ; cat /etc/passwd > /var/www/passwds.txt etc.... But nothing I could do could exploit this. Anyone know a good way to DEMONSTRATE that this code is insane and broken to my boss? I'm trying to get him to let me rewrite the whole drat site either in DJANGO or PHP (preferably using either Cake or a combo of Smarty and an ORM duck monster fucked around with this message at 23:14 on Apr 28, 2013 |
|
#
?
Apr 28, 2013 23:11
|
|
|
duck monster posted:The dude however believes that the code is SUPER SECURE because the guy who wrote it was an ENGINEER. Its loving awful. I've found a number of SQL injections, but it seems at some point the guy decided to use htmlentities as his cleaning mechanism for sql. My gut instinct tells me this is wrong, but I'm not entirely sure how to exploit it. It sounds badly insecure but the existence of specific exploits might be dependent on implementation details we don't have. For example, the manual entry for htmlentities says that its default behaviour is to leave single quotes alone. If the flags parameter is not used to change this, and single quotes are used to delimit strings in SQL statements, then this may be exploitable. On the other hand, if double quotes are used for this purpose (this works by default in MySQL) then that specifically may not be an actual exploit, in spite of the inappropriate use of htmlentities. That doesn't mean that other exploits don't exist. I don't know how to exploit the exec/email thing either I'm afraid although it looks hideous.
|
|
#
?
Apr 28, 2013 23:30
|
|
|
This is the problem with being an honest man. I know how all these vunerabilities work. I've just never had a reason to actually try and use the drat things 
|
|
#
?
Apr 29, 2013 00:19
|
|
|
Hammerite makes the best point here; simply because you can't exploit it doesn't mean it's secure. I see MySQL injection being thwarted on most recent setups simply because mysql_query() refuses to run multiple queries (dies when it hits the semicolon) , rather than anyone sanitizing their data properly. I'm guessing the same thing is why your exec() isn't exploitable. That said, it's very much worth pointing out to whoever the developer is that they're doing it very, very wrong. For instance, you could swap out that horrible exec() for the following (stolen from stack overflow) php:<?
// Check email is valid
if ( filter_var($email, FILTER_VALIDATE_EMAIL) === FALSE) {
echo "Your email is invalid.";
}
// Check domain
$domain = substr($email, strpos($email, '@'));
elseif (checkdnsrr($domain) === FALSE) {
echo "That domain doesn't exist."
}
// Create account if OK
else
{
create_user($email);
}
?>* Throw this whole thing into GIT and branch off of it. Your nemesis can continue to work on it, and you can hack it up and fix it then merge it back with his stuff later on. * If the DB stuff isn't written too horrendously, you might be able to find-and-replace your way out of this, and wrap everything in a DB accessor class. * If it's not doing stuff like isset($_POST) to determine the execution path, find-and-replace all the $_GET and $_POST stuff with $_REQUEST just because. * If you're using an IDE like PHP Storm, just blanket replace htmlentities with mysql_real_escape_string (or whatever) and then go through the changes as a git diff and revert anything inappropriate. This isn't the right way to do it, but for blind blanket changes I find this workflow really fast. * Stay the gently caress away from Smarty. I don't care if you're working with designers or monkeys, they might as well learn some basic PHP than everyone having to learn Smarty. If you already know Smarty, you should know it's a complete bitch to do anything truly complex in it, and you're much better off just using straight PHP, hopefully in some kind of view wrapper class (ie. CakePHP). Usually the best argument to a boss about this kind of code is; the current framework is barely a framework at all, and you're spending far too much time writing basic functionality rather than actual program code. The method of data sanitation is awful and should be handled by the framework and not need writing every time you want to manipulate data. If your application is front-facing, point out the recent breaches with Sony, PBS, Yahoo! and the Royal Navy (http://en.wikipedia.org/wiki/SQL_injection#Examples). These guys probably thought their stuff was secure too because ~engineers~, but if you're not doing it right, and you're pointing this out to them now, then you're heading for a world of hurt.
|
|
#
?
Apr 29, 2013 04:42
|
|
|
Another aspect of what I was saying is that if an actual exploit doesn't exist due to the happy accident of some implementation detail interfering with it, it could mean that changes that should be innocent actually enable exploits. So you will have to tread very carefully when tidying things up I would guess. But the first thing to do, I imagine, is to put proper input sanitisation in place everywhere.
|
|
#
?
Apr 29, 2013 15:29
|
|
|
As a fun example, heres some code that uses htmlspecialchars() to sanitize query inputs (and uses the ENT_QUOTE flag so apostrophes also get filtered):code:firstName=asdf\ lastName=, is_admin=1 WHERE id=123 -- a id=whatever The query becomes: UPDATE users SET first_name = "asdf\", last_name = ", is_admin=1 WHERE id=123 -- a" WHERE id = "whatever"; htmlspecialchars() doesnt sanitize slashes. So the first name ending quote gets slashed which makes it eat up the last_name part of the query. First name becomes the string asdf", last_name = and the user can control the rest of the query, and thus chooses to set the is_admin flag to true for user 123, then comments the rest of the query. If you use htmlspecialchars() to sanitize, then anywhere the code uses two user inputs in a row, a user has the potential of hijacking the query.
|
|
#
?
Apr 29, 2013 15:57
|
|
|
v1nce posted:Hammerite makes the best point here; simply because you can't exploit it doesn't mean it's secure. I see MySQL injection being thwarted on most recent setups simply because mysql_query() refuses to run multiple queries (dies when it hits the semicolon) , rather than anyone sanitizing their data properly. I'm guessing the same thing is why your exec() isn't exploitable. Nemesis rapidly losing favor. He mailed in a patch with some code like this code:quote:
One fortunate thing is most of this is long drop (code starts at top and just drops through to the bottom with little in the way of structure) spagetti code with very little in the way of intertwangled dependencies. This makes it easier to just go "Today I'm replacing ALL the code for THIS page" to take the sting out of a rewrite. I'm going to start either moving stuff across to an ORM or just PDO with a strict policy of using stored procedures for data and parameter passing rather than string interpolation. Its hard work though, some of these are 10K long pages of table laid out HTML mushed in with PHP and SQL. quote:* If it's not doing stuff like isset($_POST) to determine the execution path, find-and-replace all the $_GET and $_POST stuff with $_REQUEST just because. quote:*llght as well learn some basic PHP than everyone having to learn Smarty. If you already know Smarty, you should know it's a complete bitch to do anything truly complex in it, and you're much better off just using straight PHP, hopefully in some kind of view wrapper class (ie. CakePHP). With PHP comes programming attempts. With programming attempts come power. With power comes sql-injection and other assorted stupidities. I just want HTML templates with holes poked in them for my code to stick its dick into. HTML people need to stay the gently caress away from my code. My major problem with smarty is its too functional and encourages people to try and do logic in presentation. Trust me I've seen smarty files with giant decision trees of madness branching through them. My optimal template engine would allow substitution, and instantable blocks with a non-controller view behind it automating the instantiation. Alas, It'd probably give most people migranes. quote:Usually the best argument to a boss about this kind of code is; the current framework is barely a framework at all, and you're spending far too much time writing basic functionality rather than actual program code. The method of data sanitation is awful and should be handled by the framework and not need writing every time you want to manipulate data. Yeah I'm starting to get the message through. duck monster fucked around with this message at 16:47 on Apr 29, 2013 |
|
#
?
Apr 29, 2013 16:40
|
|
|
|
| # ? May 15, 2024 10:06 |
|
|
quote:With PHP comes programming attempts. With programming attempts come power. With power comes sql-injectio n. danger. HTML people need to stay the gently caress away from my code. My major problem with smarty is its too functional and encourages people to try and do logic in presentation. Trust me I've seen smarty files with giant decision trees of madness branching through them. My optimal template engine would allow substitution, and instantable blocks with a non-controller view behind it automating the instantiation. Alas, It'd probably give most people migranes. Laravel. That is all.
|
|
#
?
Apr 29, 2013 18:49
|
|