From elharo at metalab.unc.edu Sun Sep 2 08:02:42 2007 From: elharo at metalab.unc.edu (Elliotte Harold) Date: Sun, 02 Sep 2007 08:02:42 -0400 Subject: [nycphp-talk] Minimal overhead Message-ID: <46DAA662.6050404@metalab.unc.edu> Suppose I don't want it to be so obvious that I'm using PHP on a site, Or that I just want the freedom to not always use PHP in a given document. Thus I decide to configure Apache to treat all .html files as PHP files. How much overhead does this add for the common case when a file only contains static data, no PHP? Would I notice the hit? -- Elliotte Rusty Harold elharo at metalab.unc.edu Java I/O 2nd Edition Just Published! http://www.cafeaulait.org/books/javaio2/ http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/ From paul at devonianfarm.com Sun Sep 2 08:55:15 2007 From: paul at devonianfarm.com (Paul Houle) Date: Sun, 02 Sep 2007 08:55:15 -0400 Subject: [nycphp-talk] Minimal overhead In-Reply-To: <46DAA662.6050404@metalab.unc.edu> References: <46DAA662.6050404@metalab.unc.edu> Message-ID: <46DAB2B3.4060504@devonianfarm.com> Elliotte Harold wrote: > Suppose I don't want it to be so obvious that I'm using PHP on a site, > Or that I just want the freedom to not always use PHP in a given > document. Thus I decide to configure Apache to treat all .html files > as PHP files. > > How much overhead does this add for the common case when a file only > contains static data, no PHP? Would I notice the hit? > You should measure this yourself using tools such as ab (ApacheBench, included with the Apache distribution) I benched out an Apache 2 installation on a somewhat beefy Linux machine about two years ago. Apache could serve about 2000 hits/sec of plain HTML files and around 400 hits/sec of simple PHP files. About five years ago I developed a simple PHP system that put templating on existing HTML documents. I clocked this at around 100 hits/sec, which is around 8 million a day. There is substantial overhead in processing PHP, but most people won't notice it unless they have very high traffic sites or are in a very resource constrained environment. From ramons at gmx.net Sun Sep 2 09:25:41 2007 From: ramons at gmx.net (David Krings) Date: Sun, 02 Sep 2007 09:25:41 -0400 Subject: [nycphp-talk] Minimal overhead In-Reply-To: <46DAA662.6050404@metalab.unc.edu> References: <46DAA662.6050404@metalab.unc.edu> Message-ID: <46DAB9D5.90109@gmx.net> Elliotte Harold wrote: > Suppose I don't want it to be so obvious that I'm using PHP on a site, > Or that I just want the freedom to not always use PHP in a given > document. Thus I decide to configure Apache to treat all .html files as > PHP files. > > How much overhead does this add for the common case when a file only > contains static data, no PHP? Would I notice the hit? > As usual, it depends. All pages will be sent to the PHP interpreter which parses the file and decides that there is nothing to do and has the web server serve the static content. While there may be no noticeable difference when calling one page it may come into play when you get several thousand hits a minute. What's so wrong with calling files .htm and .php and handle them differently? Although, I can ask the opposite question and come up with some good answers as well. I'd take a look as to how busy the site is and how much oomph your server box has. Or just try it out and see what happens. I came across several instances where I crafted a page as static, but then wanted to add a header and then internationalization based on user preference. At that point there isn't a way around PHP. Chances are that you will use PHP at some point even for pages that are currently static. David From joshmccormack at travelersdiary.com Sun Sep 2 11:14:54 2007 From: joshmccormack at travelersdiary.com (Josh McCormack) Date: Sun, 2 Sep 2007 11:14:54 -0400 Subject: [nycphp-talk] Minimal overhead In-Reply-To: <46DAB9D5.90109@gmx.net> References: <46DAA662.6050404@metalab.unc.edu> <46DAB9D5.90109@gmx.net> Message-ID: You could get around having to have all pages be php by running through some sort of preprocessos that makes static pages for that audience, day, hour, etc, and flags which files really need to be dynamic. Sounds like a lot of work, though. Josh On 9/2/07, David Krings wrote: > Elliotte Harold wrote: > > Suppose I don't want it to be so obvious that I'm using PHP on a site, > > Or that I just want the freedom to not always use PHP in a given > > document. Thus I decide to configure Apache to treat all .html files as > > PHP files. > > > > How much overhead does this add for the common case when a file only > > contains static data, no PHP? Would I notice the hit? > > > > As usual, it depends. All pages will be sent to the PHP interpreter > which parses the file and decides that there is nothing to do and has > the web server serve the static content. While there may be no > noticeable difference when calling one page it may come into play when > you get several thousand hits a minute. > > What's so wrong with calling files .htm and .php and handle them > differently? Although, I can ask the opposite question and come up with > some good answers as well. I'd take a look as to how busy the site is > and how much oomph your server box has. Or just try it out and see what > happens. > I came across several instances where I crafted a page as static, but > then wanted to add a header and then internationalization based on user > preference. At that point there isn't a way around PHP. Chances are that > you will use PHP at some point even for pages that are currently static. > > David > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > -- Josh McCormack Owner, InteractiveQA Web testing & development http://www.interactiveqa.com 917.620.4902 From paul at devonianfarm.com Sun Sep 2 13:02:31 2007 From: paul at devonianfarm.com (Paul Houle) Date: Sun, 02 Sep 2007 13:02:31 -0400 Subject: [nycphp-talk] Minimal overhead In-Reply-To: References: <46DAA662.6050404@metalab.unc.edu> <46DAB9D5.90109@gmx.net> Message-ID: <46DAECA7.7010705@devonianfarm.com> Josh McCormack wrote: > You could get around having to have all pages be php by running > through some sort of preprocessos that makes static pages for that > audience, day, hour, etc, and flags which files really need to be > dynamic. Sounds like a lot of work, though. > > Josh > I'm currently building an ultralight publishing system to preserve an old database-backed site that got trashed a year or two ago. I don't have any intention of adding new articles, so I don't need a live database. I wrote a script that read rows from the database and wrote them into ".html" files that look like "20070202304034", "TITLE" => "The title of this post" ... ); I'm just about to use "auto_prepend_file" configuration directive to run another PHP file that renders the page based on the contents of $post_data. I expect to get excellent performance this way, but still have the flexibility of changing the way files are rendered without having to go back to the database. From jakob.buchgraber at googlemail.com Sun Sep 2 12:49:42 2007 From: jakob.buchgraber at googlemail.com (Jakob Buchgraber) Date: Sun, 02 Sep 2007 18:49:42 +0200 Subject: [nycphp-talk] Minimal overhead In-Reply-To: <46DAA662.6050404@metalab.unc.edu> References: <46DAA662.6050404@metalab.unc.edu> Message-ID: <46DAE9A6.5050500@gmail.com> Elliotte Harold wrote: > Suppose I don't want it to be so obvious that I'm using PHP on a site, > Or that I just want the freedom to not always use PHP in a given > document. Thus I decide to configure Apache to treat all .html files as > PHP files. > > How much overhead does this add for the common case when a file only > contains static data, no PHP? Would I notice the hit? > In case you mainly want to hide the use of php why not call your files .jsp or .aspx and sending fake headers or just remove the PHP headers and call your php files .htm and the normal files .html Jakob -- Sun Certified Programmer for the Java 2 Platform, Standard Edition 5.0 From pmjones88 at gmail.com Sun Sep 2 14:00:24 2007 From: pmjones88 at gmail.com (Paul M Jones) Date: Sun, 2 Sep 2007 13:00:24 -0500 Subject: [nycphp-talk] Minimal overhead In-Reply-To: <46DAA662.6050404@metalab.unc.edu> References: <46DAA662.6050404@metalab.unc.edu> Message-ID: <3E727EC7-2A6C-4DEB-A77B-9614A0F0F05A@gmail.com> On Sep 2, 2007, at 7:02 AM, Elliotte Harold wrote: > Suppose I don't want it to be so obvious that I'm using PHP on a > site, Or that I just want the freedom to not always use PHP in a > given document. Thus I decide to configure Apache to treat > all .html files as PHP files. > > How much overhead does this add for the common case when a file > only contains static data, no PHP? Would I notice the hit? Depends on the particular server, but: merely invoking the PHP interpreter, you can expect it to cut your requests-per-second by 40 to 60 percent. Scroll down to the "Baseline" heading here for more info: http://paul-m-jones.com/blog/?p=238 -- Paul M. Jones Solar: Simple Object Library and Application Repository for PHP5. Join the Solar community wiki! Savant: The simple, elegant, and powerful solution for templates in PHP. From rolan at omnistep.com Sun Sep 2 21:49:52 2007 From: rolan at omnistep.com (Rolan Yang) Date: Sun, 02 Sep 2007 21:49:52 -0400 Subject: [nycphp-talk] Minimal overhead In-Reply-To: <46DAA662.6050404@metalab.unc.edu> References: <46DAA662.6050404@metalab.unc.edu> Message-ID: <46DB6840.1050509@omnistep.com> You might be able to create a modified XBitHack Apache module which, essentially checks to see if the a file has the "x" (execute) bit set under permissions. If so, then it parses the file, if not, then it displays as a regular html file. This is normally used for server side includes, but you could probably modify the script to execute it as a php file instead. ~Rolan Elliotte Harold wrote: > Suppose I don't want it to be so obvious that I'm using PHP on a site, > Or that I just want the freedom to not always use PHP in a given > document. Thus I decide to configure Apache to treat all .html files > as PHP files. > > How much overhead does this add for the common case when a file only > contains static data, no PHP? Would I notice the hit? > From mitch.pirtle at gmail.com Mon Sep 3 13:56:45 2007 From: mitch.pirtle at gmail.com (Mitch Pirtle) Date: Mon, 3 Sep 2007 19:56:45 +0200 Subject: [nycphp-talk] Framework poll In-Reply-To: <46D48188.6000007@enobrev.com> References: <03fa01c7e9a7$ed94f140$651ba8c0@MobileZ> <46D48188.6000007@enobrev.com> Message-ID: <330532b60709031056h3648aa50m711562e62fcb4168@mail.gmail.com> On 8/28/07, Mark Armendariz wrote: > Brilliant!! And each will have separate implementations for each database > (mysql, postgres, oracle, xml, couchdb, etc) and then each of those for each > OS (linux, windows, palm, hacked wii, etc) and we'll name each > framework/database/os implementation according to our favorite beers, which > we'll pick according to our ruby-poll. Ok then, when do we get started? I can setup pound as an application proxy to randomly redirect each incoming request to a different virtual host. I can write the log rotate and analysis stuff in python. We even get to implement session handlers over and over! I mean, this *is* what PHP developers like to do, right? hehe -- Mitch From maxarbos at yahoo.com Mon Sep 3 14:24:32 2007 From: maxarbos at yahoo.com (Bill P.) Date: Mon, 3 Sep 2007 11:24:32 -0700 (PDT) Subject: [nycphp-talk] MSSql , IIS Encrypted Connection String Message-ID: <27060.96537.qm@web90602.mail.mud.yahoo.com> Hello, I have a project that will be using IIS and mssql. I need to use an encrypted conneciton string in my config/lib.php file. mssql has built in encryption connection ability, but within asp. Everything will be written in php so does anyone have any suggestions on encrypting a connection string to connect to a mssql db? thanks. Bill --------------------------------- Choose the right car based on your needs. Check out Yahoo! Autos new Car Finder tool. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tom at supertom.com Tue Sep 4 00:17:14 2007 From: tom at supertom.com (Tom Melendez) Date: Mon, 3 Sep 2007 21:17:14 -0700 Subject: [nycphp-talk] MSSql , IIS Encrypted Connection String In-Reply-To: <27060.96537.qm@web90602.mail.mud.yahoo.com> References: <27060.96537.qm@web90602.mail.mud.yahoo.com> Message-ID: <117286890709032117s7bde7f61l49409afbdb5b581d@mail.gmail.com> > I have a project that will be using IIS and mssql. > I need to use an encrypted conneciton string in my config/lib.php file. > > mssql has built in encryption connection ability, but within asp. > > Everything will be written in php so does anyone have any suggestions on > encrypting a connection string to connect to a mssql db? > Do you know any more about the encryption mechanism used by MSSQL and ASP? I would think it could be duplicated somehow. Any docs available on the subject? Tom http://www.liphp.org From bz-gmort at beezifies.com Tue Sep 4 08:35:38 2007 From: bz-gmort at beezifies.com (Gary Mort) Date: Tue, 04 Sep 2007 08:35:38 -0400 Subject: [nycphp-talk] MSSql , IIS Encrypted Connection String In-Reply-To: <27060.96537.qm@web90602.mail.mud.yahoo.com> References: <27060.96537.qm@web90602.mail.mud.yahoo.com> Message-ID: <46DD511A.2040709@beezifies.com> Bill P. wrote: > Hello, > > I have a project that will be using IIS and mssql. > I need to use an encrypted conneciton string in my config/lib.php file. > > mssql has built in encryption connection ability, but within asp. > > Everything will be written in php so does anyone have any suggestions > on encrypting a connection string to connect to a mssql db? > What's the point of encrypting the data? Reading through http://msdn2.microsoft.com/en-us/library/ms998280.aspx and http://msdn2.microsoft.com/en-us/library/ms998283.aspx, it is purely a local system server protection. IE You have web servers A. B. and C You have MSSQL Server D and a database(MyDatabase) A web application running on the WEB server wants to connect to the MSSQL server. Using ASP,. some code somewhere says "Connect to MyDatabase, a MSSQL Database " ASP will then search for a text file called web.conf, and it will grab the connection information stored there(the server it is on, the database name, yadda yadda). Than it connects up to the server and does whatever you want it to do. "Encrypted connection string" just means that the data stored in that text file is encrypted, using either an RSA mechanism or DPAPI - which to tell you the truth is completely beyond me. I know there are different mechanisms for encryption. I know in a general way how public/private key encryption works. And I know the longer the key length, in general, the more secure and the longer to process. When I need to know more than that, I research what the industry stds are at that time, what is the best performance for a situation, and move on. Trying to understand the math behind it all would drive me bonkers. Using encrypted connection strings, the ASP program has an extra step. It accesses the text file, grabs the data, and then decrypts the data and uses it. It doesn't actually send the data in an encrypted format to the server - the key to noticing this for me was that your ASP program can display the plaintext decoded info to you, so it's decoding it on the web server. So really, you get the same benefit by choosing any encryption scheme you like for PHP and encrypting the connection information file that your using. The only reason I can see to use "encrypted connection strings" the Microsoft way is the method used in that RSA article(link above). There, they suggest that for a server farm, what you would do is create the connection string file on the MSSQL server system(or on your own system, whatever. The point is, you don't create it on servers A,B, and C). Than you encrypt the file using RSA and transfer both the encrypted file AND the RSA private key needed to decrypt the file to servers A,B,and C. Than by installing them under the appropriate user, web apps running under that user can decrypt the data. If that is your goal, find a PHP RSA decryption routine, place the private key somewhere secure on your server, and use the key to decrypt the connection string file. Than parse the file and shove the appropriate fields into your PHP connection. If you want to use their method, they store the private key in the registry, so you can pull it out the same way. Am I missing something here on how encrypted connection string works? (Besides the obvious that Microsoft went to great lengths to describe a fairly simple process in complex language such that it would appear to be a function exclusive to their API, instead of a fairly trivial implementation of standard config file encryption. I mean, on first glance, I thought it was pretty cool, the concept being that you would provide the web servers with a connection string encrypted just for each server, and that server would send the encrypted data to the database server - thus it would not ever know what the true userid and password was and since the key is assigned to an ip address, a connection using the same config file from a different system would be rejected. But no, it doesn't seem to be that, just a local config file encryption.) From ken at secdat.com Tue Sep 4 08:50:56 2007 From: ken at secdat.com (Kenneth Downs) Date: Tue, 04 Sep 2007 08:50:56 -0400 Subject: [nycphp-talk] AJAX and State Message-ID: <46DD54B0.5060803@secdat.com> One thing that seems to have gone unsaid in the praise for Ajax is its ability to radically transform how we maintain state. The web server session is our basic mechanism for storing information between requests. But it gets clumsier and clumsier to try to maintain complex state across many page requests when you use a session. Ingenious minds have put their will to the problem and come up with workable systems, but all of them are complicated because of the nature of the problem. That problem, stated here, is simply the problem of tracking what I'll call the "context" of a user's session. Some elements of a session are fixed: the user id, the password, a few other things, but almost everything that we need to track is always changing. A basic example: a list of search results. Where do you store it? When the user hits, "NEXT PAGE", how do you know what to do? If you are using a session, what happens if he opens a new window and has two search results sets up for two different tables? Ajax solves this problem neatly by letting you move all state [1] into the browser. This makes sense from an architectural viewpoint because we are putting this context information close to where it is needed, the UI. I've been converting the basic Andromeda UI code over to a completely AJAX system [1], and have found my code radically simplified and far smoother, due almost entirely to the moving of all state information to the browser. Hurray for Ajax! [1] Here I'll use "state" to mean the changing context of user requests, and assume we are still using the session for User_id and password. [2] Andromeda is used to make database applications for businesses, we don't care in this case about google following our links. -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 From jonbaer at jonbaer.com Tue Sep 4 10:33:16 2007 From: jonbaer at jonbaer.com (Jon Baer) Date: Tue, 4 Sep 2007 10:33:16 -0400 Subject: [nycphp-talk] AJAX and State In-Reply-To: <46DD54B0.5060803@secdat.com> References: <46DD54B0.5060803@secdat.com> Message-ID: <46DB80D6-790B-4260-A4B6-17F2E3BCCE64@jonbaer.com> Personally ... I think even broader ideas like Dojo Offline (http:// dojotoolkit.org/offline) and Google Gears (http://gears.google.com/) takes it to an even further level which has not been tapped (yet). Now if only you can sneak it into a project ;-) - Jon On Sep 4, 2007, at 8:50 AM, Kenneth Downs wrote: > One thing that seems to have gone unsaid in the praise for Ajax is > its ability to radically transform how we maintain state. > > The web server session is our basic mechanism for storing > information between requests. But it gets clumsier and clumsier to > try to maintain complex state across many page requests when you > use a session. Ingenious minds have put their will to the problem > and come up with workable systems, but all of them are complicated > because of the nature of the problem. > > That problem, stated here, is simply the problem of tracking what > I'll call the "context" of a user's session. Some elements of a > session are fixed: the user id, the password, a few other things, > but almost everything that we need to track is always changing. A > basic example: a list of search results. Where do you store it? > When the user hits, "NEXT PAGE", how do you know what to do? If > you are using a session, what happens if he opens a new window and > has two search results sets up for two different tables? > > Ajax solves this problem neatly by letting you move all state [1] > into the browser. This makes sense from an architectural viewpoint > because we are putting this context information close to where it > is needed, the UI. > I've been converting the basic Andromeda UI code over to a > completely AJAX system [1], and have found my code radically > simplified and far smoother, due almost entirely to the moving of > all state information to the browser. Hurray for Ajax! > > [1] Here I'll use "state" to mean the changing context of user > requests, and assume we are still using the session for User_id and > password. > > [2] Andromeda is used to make database applications for businesses, > we don't care in this case about google following our links. > > > -- > Kenneth Downs > Secure Data Software, Inc. > www.secdat.com www.andromeda-project.org > 631-689-7200 Fax: 631-689-0527 > cell: 631-379-0010 > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php From ken at secdat.com Tue Sep 4 13:37:10 2007 From: ken at secdat.com (Kenneth Downs) Date: Tue, 04 Sep 2007 13:37:10 -0400 Subject: [nycphp-talk] Finding event listeners? Message-ID: <46DD97C6.8000805@secdat.com> I cannot seem to figure out which javascript function I would use to determine the event listeners that have been added to an element. Can anybody steer me on this? Thanks... -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 From ken at secdat.com Tue Sep 4 13:41:18 2007 From: ken at secdat.com (Kenneth Downs) Date: Tue, 04 Sep 2007 13:41:18 -0400 Subject: [nycphp-talk] AJAX and State In-Reply-To: <46DB80D6-790B-4260-A4B6-17F2E3BCCE64@jonbaer.com> References: <46DD54B0.5060803@secdat.com> <46DB80D6-790B-4260-A4B6-17F2E3BCCE64@jonbaer.com> Message-ID: <46DD98BE.9020304@secdat.com> I have not looked at Dojo yet, though they have been on "the list" for awhile. The firefox extensions are now looking really exciting. I am looking to download or write an extension that will let me ship photographs from a camera directly to the database, and also to intercept bar code scans and do some intelligent page routing. Fun stuff. Jon Baer wrote: > Personally ... I think even broader ideas like Dojo Offline > (http://dojotoolkit.org/offline) and Google Gears > (http://gears.google.com/) takes it to an even further level which has > not been tapped (yet). Now if only you can sneak it into a project ;-) > > - Jon > > On Sep 4, 2007, at 8:50 AM, Kenneth Downs wrote: > >> One thing that seems to have gone unsaid in the praise for Ajax is >> its ability to radically transform how we maintain state. >> >> The web server session is our basic mechanism for storing information >> between requests. But it gets clumsier and clumsier to try to >> maintain complex state across many page requests when you use a >> session. Ingenious minds have put their will to the problem and come >> up with workable systems, but all of them are complicated because of >> the nature of the problem. >> >> That problem, stated here, is simply the problem of tracking what >> I'll call the "context" of a user's session. Some elements of a >> session are fixed: the user id, the password, a few other things, but >> almost everything that we need to track is always changing. A basic >> example: a list of search results. Where do you store it? When the >> user hits, "NEXT PAGE", how do you know what to do? If you are using >> a session, what happens if he opens a new window and has two search >> results sets up for two different tables? >> >> Ajax solves this problem neatly by letting you move all state [1] >> into the browser. This makes sense from an architectural viewpoint >> because we are putting this context information close to where it is >> needed, the UI. >> I've been converting the basic Andromeda UI code over to a completely >> AJAX system [1], and have found my code radically simplified and far >> smoother, due almost entirely to the moving of all state information >> to the browser. Hurray for Ajax! >> >> [1] Here I'll use "state" to mean the changing context of user >> requests, and assume we are still using the session for User_id and >> password. >> >> [2] Andromeda is used to make database applications for businesses, >> we don't care in this case about google following our links. >> >> >> --Kenneth Downs >> Secure Data Software, Inc. >> www.secdat.com www.andromeda-project.org >> 631-689-7200 Fax: 631-689-0527 >> cell: 631-379-0010 >> >> _______________________________________________ >> New York PHP Community Talk Mailing List >> http://lists.nyphp.org/mailman/listinfo/talk >> >> NYPHPCon 2006 Presentations Online >> http://www.nyphpcon.com >> >> Show Your Participation in New York PHP >> http://www.nyphp.org/show_participation.php > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 From tedd at sperling.com Tue Sep 4 20:00:41 2007 From: tedd at sperling.com (tedd) Date: Tue, 4 Sep 2007 20:00:41 -0400 Subject: [nycphp-talk] Finding event listeners? In-Reply-To: <46DD97C6.8000805@secdat.com> References: <46DD97C6.8000805@secdat.com> Message-ID: At 1:37 PM -0400 9/4/07, Kenneth Downs wrote: >I cannot seem to figure out which javascript function I would use to >determine the event listeners that have been added to an element. >Can anybody steer me on this? Thanks... > >-- >Kenneth Downs Kenneth: You probably should post this question to a javascript list, but a listener is triggered by an event. I can think of 7 (may be more) and they all start with "on" (i.e., onBlur, onClick, onSubmit, onLoad, onChange, onMouseOut, onMouseOver) not counting onreadystatechange via ajax/ahah. So, what triggers the event for the element? Cheers, tedd -- ------- http://sperling.com http://ancientstones.com http://earthstones.com From jonbaer at jonbaer.com Tue Sep 4 20:28:35 2007 From: jonbaer at jonbaer.com (Jon Baer) Date: Tue, 4 Sep 2007 20:28:35 -0400 Subject: [nycphp-talk] Finding event listeners? In-Reply-To: References: <46DD97C6.8000805@secdat.com> Message-ID: <3DE172F5-DD82-4A8A-9ECA-7FD04263CF72@jonbaer.com> Actually a pretty good question ... I was under assumption that you could call Event.observers in Prototype and get back an array of element and handlers but after glimpsing through the API was not the case. In fact since it's not a DOM-level call it seems that it would be pretty API independent. It seems that they even removed that and implemented a stacked cache a while back ... http://dev.rubyonrails.org/browser/spinoffs/prototype/trunk/src/event.js Interesting that you can't get back an array of listeners for an element. - Jon On Sep 4, 2007, at 8:00 PM, tedd wrote: > At 1:37 PM -0400 9/4/07, Kenneth Downs wrote: >> I cannot seem to figure out which javascript function I would use >> to determine the event listeners that have been added to an >> element. Can anybody steer me on this? Thanks... >> >> -- >> Kenneth Downs > > Kenneth: > > You probably should post this question to a javascript list, but a > listener is triggered by an event. > > I can think of 7 (may be more) and they all start with "on" (i.e., > onBlur, onClick, onSubmit, onLoad, onChange, onMouseOut, > onMouseOver) not counting onreadystatechange via ajax/ahah. > > So, what triggers the event for the element? > > Cheers, > > tedd > -- > ------- > http://sperling.com http://ancientstones.com http://earthstones.com > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcampbell1 at gmail.com Tue Sep 4 20:35:33 2007 From: jcampbell1 at gmail.com (John Campbell) Date: Tue, 4 Sep 2007 20:35:33 -0400 Subject: [nycphp-talk] Finding event listeners? In-Reply-To: <46DD97C6.8000805@secdat.com> References: <46DD97C6.8000805@secdat.com> Message-ID: <8f0676b40709041735m2bb9936gaaa11747fc7212c0@mail.gmail.com> > I cannot seem to figure out which javascript function I would use to > determine the event listeners that have been added to an element. Can > anybody steer me on this? Thanks... It is not possible to get a listing using the W3C DOM methods. You will have to use a custom event manager if you want to be able to get an array of references of the function objects. From lists at silmail.com Wed Sep 5 02:32:53 2007 From: lists at silmail.com (Jiju Thomas Mathew) Date: Wed, 5 Sep 2007 12:02:53 +0530 Subject: [nycphp-talk] how did you learn php? In-Reply-To: <98a958580708261850v3094dca8sbf5af23165d1bec7@mail.gmail.com> References: <98a958580708261850v3094dca8sbf5af23165d1bec7@mail.gmail.com> Message-ID: <6431a0f40709042332u2cac1502p9262dd6157579b4b@mail.gmail.com> On 8/27/07, Anthony wrote: > > Hey, i'm kinda new around here and just tinkering around with php. My > question to you guys is how did you learn? by reading or by taking apart > scripts and adding your own style or what? I'm very curious. > > Well It was real great to see all those replies. And could not resist to add my own views. I started doing php on a fury, to prove that php was better than jsp, no flames, and I dont want to hurt anyone. At that time I just had experience in perl cgi, and wanted to switch somehow, due to the hype php was getting. My first project was a fully written community site just for the hero honda cbz users, since we had a handful in our neighbourhood. Well it was real tough, when starting with a personal project, but I myself being the project owner, I could decide on what features and where to cut corners. The biggest lifesaver was the dynamic function reference at http://php.net, which I had stated to rsync to my office once a week longback. And to admit it, once done it was a piece of hell. From then on there was no turning back. Currently I am mostly doing code reviews, guiding new recruits and doing R&D. -- Jiju Thomas Mathew Technology Officer, Saturn Systemwares Pvt Ltd Gayathri, Technopark, Trivandrum, Kerala, India Mob: 91 94470 47989 Tel : +91 471 3255001 http://www.saturn.in -------------- next part -------------- An HTML attachment was scrubbed... URL: From paulcheung at tiscali.co.uk Wed Sep 5 06:26:02 2007 From: paulcheung at tiscali.co.uk (PaulCheung) Date: Wed, 5 Sep 2007 11:26:02 +0100 Subject: [nycphp-talk] PHP REDIRECT References: <20070701.215701.25801.0@webmail14.dca.untd.com> Message-ID: <000501c7efa7$28d0fbf0$0200a8c0@X9183> Can anybody help? I am using "MAINMENU" built in HTML forms to get to get me to where I want to be (Add, Update or Print record) and of course, I cannot update or print a record that does not exist yet. Here is a snippet of the coding. HTML coding more HTML coding PHP coding more PHP coding . $q="Select SQL_CALC_FOUND_ROWS * FROM test_table WHERE customer = $customer ORDER BY invoices LIMIT $cps, $rpp"; . PHP coding more PHP coding more coding . if ($number_of_records == 0) {$link = "http://localhost/mainmenu.php";} I have also tried header('Location: http://localhost/mainmenu.php); With this PHP gets really ticked-off giving me a long error message and points to a line which contains the following coding. Be sure to have an image with a good resolution so that it does not pixelize when you enlarge it ----- Original Message ---- From: selyah To: NYPHP Talk Sent: Saturday, September 8, 2007 1:12:55 PM Subject: [nycphp-talk] Roll ove image Hello ; I am in the process of completing a very complex php script and need to add a special effect using html. The effect that i have to do is a simple roll over images and upon each roll over with the mouse the images increase in size and then return back to the original size. The problem is that i am sure that this involves javascript and that is my weak point. Therefore, i am asking anyone who can assist with a sample code or know of a link that would be helpful. Thanks Send instant messages to your online friends http://uk.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jonbaer at jonbaer.com Sat Sep 8 09:04:55 2007 From: jonbaer at jonbaer.com (Jon Baer) Date: Sat, 8 Sep 2007 09:04:55 -0400 Subject: [nycphp-talk] Roll ove image In-Reply-To: <580401.39354.qm@web30812.mail.mud.yahoo.com> References: <580401.39354.qm@web30812.mail.mud.yahoo.com> Message-ID: <311ECA73-7DF4-4E90-86B6-92E03C87CD8D@jonbaer.com> Probably the best way Ive seen it implemented (and easiest) would be to use the Fisheye plugin for jQuery ... http://www.ndesign-studio.com/demo/css-dock-menu/css-dock.html * Download link (jQuery): http://docs.jquery.com/ Downloading_jQuery#Current_Release * Download link (Fisheye): http://interface.eyecon.ro/download (Although the SVN copy of jQuery might have the latest version of this plugin - not 100% sure) - Jon On Sep 8, 2007, at 1:12 AM, selyah wrote: > Hello ; > I am in the process of completing a very complex php script and > need to add a special effect using html. The effect that i have to > do is a simple roll over images and upon each roll over with the > mouse the images increase in size and then return back to the > original size. The problem is that i am sure that this involves > javascript and that is my weak point. > Therefore, i am asking anyone who can assist with a sample code or > know of a link that would be helpful. > Thanks > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php -------------- next part -------------- An HTML attachment was scrubbed... URL: From bz-gmort at beezifies.com Sat Sep 8 09:19:05 2007 From: bz-gmort at beezifies.com (Gary Mort) Date: Sat, 08 Sep 2007 09:19:05 -0400 Subject: [nycphp-talk] Emailing files from server In-Reply-To: <46E1E55B.6020704@phpwerx.net> References: <00b301c7f189$00be6600$6600a8c0@adam> <46E1C57B.8000209@beezifies.com> <46E1E55B.6020704@phpwerx.net> Message-ID: <46E2A149.9090408@beezifies.com> Dan Cech wrote: > I haven't heard of that one, but I've used PHPMailer [1] with great > success, and I hear SwiftMailer is excellent too (and actively > maintained unlike PHPMailer and HTMLMimeMail). > I'm not too concerned about active maintenance, since the functions are pretty simple. As I recall, I have only ever had to upgrade HTMLMimeMail once when I replaced sendmail with postfix on a server and discovered the old version of HTMLMimeMail had a bug in it(it was not formatting the headers with the correct carriage return codes. The old sendmail processed it anyway, the new postfix dropped the mail as not being formatted properly. Of course, I only discovered this when the client went to send out 800 emails a month later for a mailshot using a tool someone else wrote that I was unaware of. That was a fun couple hours of figuring out how the thing worked to track down the problem.) From bz-gmort at beezifies.com Sat Sep 8 09:28:54 2007 From: bz-gmort at beezifies.com (Gary Mort) Date: Sat, 08 Sep 2007 09:28:54 -0400 Subject: [nycphp-talk] Emailing files from server In-Reply-To: <46E1E55B.6020704@phpwerx.net> References: <00b301c7f189$00be6600$6600a8c0@adam> <46E1C57B.8000209@beezifies.com> <46E1E55B.6020704@phpwerx.net> Message-ID: <46E2A396.2000300@beezifies.com> Dan Cech wrote: > Not only do they build the email and take care of such niceties as > encoding, etc, you also get drop-in SMTP and a host of other goodies. > > Hmm, looking over the swift feature set(yeah, I replied before loading it..sorry not awake yet) swift looks fairly nice - I'm in the middle of rewriting a number of email functions I'll give swift a try and see how it works. HTMLMimeMailer will also use an SMTP host, and as I recall will handle pop3 logon before send functionality either easily or with a small hack(so you can keep all your programs on 1 host, but spread the email sending to seperate hosts by functionality - email list, transaction oriented, and normal correspondence - so idiots who sign up to your mailling list and then want off but won't click the unsub link won't lock out your transactional emails from AOL when they report you as spam). From tedd at sperling.com Sat Sep 8 11:53:08 2007 From: tedd at sperling.com (tedd) Date: Sat, 8 Sep 2007 11:53:08 -0400 Subject: [nycphp-talk] Roll ove image In-Reply-To: <580401.39354.qm@web30812.mail.mud.yahoo.com> References: <580401.39354.qm@web30812.mail.mud.yahoo.com> Message-ID: At 10:12 PM -0700 9/7/07, selyah wrote: > Hello ; >I am in the process of completing a very complex php script and >need to add a special effect using html. The effect that i have to >do is a simple roll over images and upon each roll over with the >mouse the images increase in size and then return back to the >original size. The problem is that i am sure that this involves >javascript and that is my weak point. >Therefore, i am asking anyone who can assist with a sample code or >know of a link that would be helpful. >Thanks selyah: Here an example of an enlarging roll-over using only css with no javascript. http://webbytedd.com/bb/replace-image2/ If that's what you want, everything's there. Cheers, tedd -- ------- http://sperling.com http://ancientstones.com http://earthstones.com From ereyes at totalcreations.com Sat Sep 8 12:04:35 2007 From: ereyes at totalcreations.com (Edgar Reyes) Date: Sat, 08 Sep 2007 12:04:35 -0400 Subject: [nycphp-talk] Roll ove image In-Reply-To: References: <580401.39354.qm@web30812.mail.mud.yahoo.com> Message-ID: <013e01c7f231$f3e467a0$6500a8c0@ERTop> Here is a simple way to do a roll over effect for images; ER -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of tedd Sent: Saturday, September 08, 2007 11:53 AM To: NYPHP Talk Subject: Re: [nycphp-talk] Roll ove image At 10:12 PM -0700 9/7/07, selyah wrote: > Hello ; >I am in the process of completing a very complex php script and >need to add a special effect using html. The effect that i have to >do is a simple roll over images and upon each roll over with the >mouse the images increase in size and then return back to the >original size. The problem is that i am sure that this involves >javascript and that is my weak point. >Therefore, i am asking anyone who can assist with a sample code or >know of a link that would be helpful. >Thanks selyah: Here an example of an enlarging roll-over using only css with no javascript. http://webbytedd.com/bb/replace-image2/ If that's what you want, everything's there. Cheers, tedd -- ------- http://sperling.com http://ancientstones.com http://earthstones.com _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php From rick at click-rick.net Sat Sep 8 13:01:04 2007 From: rick at click-rick.net (Rick Retzko) Date: Sat, 8 Sep 2007 13:01:04 -0400 Subject: [nycphp-talk] Mouse Over Menu In-Reply-To: <7.0.1.0.2.20070907220925.02af5e18@e-government.com> References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu><46E13029.1030702@gmx.net> <46E1378D.4070006@metalab.unc.edu><46E181C2.1020501@gmx.net> <7.0.1.0.2.20070907220925.02af5e18@e-government.com> Message-ID: <00ee01c7f239$d8c9ccf0$6600a8c0@adam> Hi - Take a look at 'Stylin' with CSS' (Charles Wyke-Smith), he devotes about 20 pages to building exactly this without any javascript including the hacks necessary for IE. A bit tricky, but it works. The book is very functional if you're just getting past the basics. You can also download the script from his www.bbd.com/stylin site. Best Regards - Rick ============ MFR Holdings, LLC rick at click-rick.net 201.755.4083 -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Urb LeJeune Sent: Friday, September 07, 2007 10:11 PM To: NYPHP Talk Subject: [nycphp-talk] Mouse Over Menu I'm looking to do a mouse over menu. You run the mouse over a main item and a submenu appears, if available. I would prefer a css implementation although a Java Script application would be acceptable. Does anyone have any experience with such an animal or willing to make a suggestions. Thanks Urb Dr. Urban A. LeJeune, President E-Government.com 800-204-9545 _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php From bz-gmort at beezifies.com Sat Sep 8 13:06:26 2007 From: bz-gmort at beezifies.com (Gary Mort) Date: Sat, 08 Sep 2007 13:06:26 -0400 Subject: [nycphp-talk] Books & magazines Message-ID: <46E2D692.8020703@beezifies.com> Just wondering what books and magazines people here particularly like for PHP programming. Which are good for learning, and which are good for reference. From rick at click-rick.net Sat Sep 8 13:24:43 2007 From: rick at click-rick.net (Rick Retzko) Date: Sat, 8 Sep 2007 13:24:43 -0400 Subject: [nycphp-talk] Books & magazines In-Reply-To: <46E2D692.8020703@beezifies.com> References: <46E2D692.8020703@beezifies.com> Message-ID: <00ef01c7f23d$268f7090$6600a8c0@adam> Hi Gary - Thanks for the previous response to my email-attachment-from-server query. Reference books I keep on my shelf: PHP and MySQL For Dynamic Web Sites (Larry Ullman) PHP and MySQL Web Development (Welling,Thomson) Php|architect's Guide to PHP Security (Alshanstsky) Don't make me think! (Krug) Stylin' with CSS (Wyke-Smith) Bulletproof Web Design (Cederholm) CSS Mastery (Budd, Moll,Collison) Magazine: php|Architect Best Regards - Rick ============ MFR Holdings, LLC rick at click-rick.net 201.755.4083 -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Gary Mort Sent: Saturday, September 08, 2007 1:06 PM To: NYPHP Talk Subject: [nycphp-talk] Books & magazines Just wondering what books and magazines people here particularly like for PHP programming. Which are good for learning, and which are good for reference. _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php From ben at projectskyline.com Sat Sep 8 14:34:33 2007 From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine)) Date: Sat, 8 Sep 2007 14:34:33 -0400 Subject: [nycphp-talk] Books & magazines References: <46E2D692.8020703@beezifies.com> <00ef01c7f23d$268f7090$6600a8c0@adam> Message-ID: <002701c7f246$e74dda20$6401a8c0@gamebox> Hello Gary, SOME books off my shelf: R = reference L = learning Older: Web Database Applications w/PHP & Mysql (ORLY) - R PHP 4? ( ORLY) - L (lots of source code errors though!!!) SQL for Dummies - R Newer: PHP 5 and MySQL E-Commerce (Apress) - haven't touched this one yet but came recommened Ajax Design Pattersn (ORLY) - ok - R Foundations of PEAR (APRESS) - good reference, ok example source - R Pro PHP Security (APRESS) - great book, great source - LR Pro CSS and HTML Design Pattersn (APRESS) - pretty good, decent source - LR PHP 5 Objects, Patterns, Practice (Apress) - good - LR Good reads: The art of unix programming (Addison Wesley) - excellent read - LLLL Best software writing & Joel on software - EXCELLENT reads - LL Disliked: Pro Javascript Techniques (Apress) - blah, had mistakes in source. - !L Any and ALL Wrox books. Wrox sux. - !L || R -= ] - Ben ----- Original Message ----- From: "Rick Retzko" To: "'NYPHP Talk'" Sent: Saturday, September 08, 2007 1:24 PM Subject: RE: [nycphp-talk] Books & magazines > Hi Gary - Thanks for the previous response to my > email-attachment-from-server query. > > Reference books I keep on my shelf: > PHP and MySQL For Dynamic Web Sites (Larry Ullman) > PHP and MySQL Web Development (Welling,Thomson) > Php|architect's Guide to PHP Security (Alshanstsky) > Don't make me think! (Krug) > Stylin' with CSS (Wyke-Smith) > Bulletproof Web Design (Cederholm) > CSS Mastery (Budd, Moll,Collison) > > Magazine: php|Architect > > > Best Regards - > > Rick > ============ > MFR Holdings, LLC > rick at click-rick.net > 201.755.4083 > > -----Original Message----- > From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] > On > Behalf Of Gary Mort > Sent: Saturday, September 08, 2007 1:06 PM > To: NYPHP Talk > Subject: [nycphp-talk] Books & magazines > > Just wondering what books and magazines people here particularly like for > PHP programming. Which are good for learning, and which are good for > reference. > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php From lists at zaunere.com Sat Sep 8 16:16:21 2007 From: lists at zaunere.com (Hans Zaunere) Date: Sat, 8 Sep 2007 16:16:21 -0400 Subject: [nycphp-talk] Php 5.2.4 and Oracle instantclient In-Reply-To: References: <67qvkr$1c64n@mail3.nyumc.org> Message-ID: <097801c7f255$1f54edb0$640aa8c0@MobileZ> Hi Joshua, Joshua Hart wrote on Saturday, September 08, 2007 12:22 AM: > Hi All! > > Does anybody have some hints as to what might be causing a problem > (segfault) with Oracle's instantclient when used in conjunction with > PHP 5.2.4 (both the CLI and a webserver -- apache 2.x). > > If I run simple queries I get a result -- no problem. (select * from > atable where name='hart') However if I do any more complicated query > (select from two tables via a join for example) I get a segmentation > fault (again both with the CLI and it segfaults the httpd process). > > All programs are built from source (except instantclient which I > downloaded from oracle). I'm running on SLES10 on an ia64 platform. > > The info PHP identifies as the system: > > Linux ssaturn 2.6.16.21-0.8-default #1 SMP Mon Jul 3 18:25:39 UTC > 2006 ia64 And uname -a should report the same. Does what it report make sense? > Oracle is instantclient ia64-10.2.0.3-20061230 > > oci8 version 1.2.3 revision 1.269.2.16.2.37 > > Here's my configure command for PHP: > > './configure' '--with-zlib' '--with-gd' '--with-jpeg' '--with-png' > '--with-libxml2=/usr/bin' '--with-mysql=/usr/local/mysql5120' > '--with-apxs2=/usr/local/apache2/bin/apxs' '--enable-ftp' > '--with-imap-ssl=/usr/include/ssl' > '--with-imap=/space/custom_builds/imap-stuff/' '--with-openssl' > '--with-pam' '--with-dom' '--with-iconv' '--with-mbstring=all' > '--with-mbregex' '--with-domsxlt' '--with-mcrypt' '--with-xml' > '--with-mime-magic' '--enable-exif' '--enable-uploadprogress' > '--with-xmlrpc' '--with-gettext' '--with-pgsql' > '--with-oci8=instantclient,/usr/local/oracle' Hmm... since this is ia64, there is no lib64 anywhere right? Make sure PHP is linking against the right libs. Sometimes lib64'ness isn't always obvious. Try adding --with-libdir=lib64 to the PHP ./configure, but I'm not sure on this. Another option would be to strip down the ./configure and add --disable-all. Perhaps there are some conflicts with Oracle, lib64, etc. Then start to add extensions to see if you can isolate the problem. > Again, I can successfully login to the oracle database, and the > simplest of queries works. Anything "complicated" crashes the program. If I understand correctly - if you login via the Oracle client directly (so no PHP involved), it'll still segfault when there's a complicated query? > I saw on php.net messages about memory exhaustion and segfaults.. > Since I'm using the most recent version of PHP I would not think that > getting a updated PECL package is going to do the trick. I increased > the amt of memory a script can use (in php.ini) to 128Mb but no > difference. Is there somehwere else I should be changing a setting? Things should typically work right out of the box. If there is a new package available, though, it might make sense to try it - but have some bug fixes. H From jonbaer at jonbaer.com Sat Sep 8 21:57:30 2007 From: jonbaer at jonbaer.com (Jon Baer) Date: Sat, 8 Sep 2007 21:57:30 -0400 Subject: [nycphp-talk] Books & magazines In-Reply-To: <46E2D692.8020703@beezifies.com> References: <46E2D692.8020703@beezifies.com> Message-ID: <9CEFB170-CA95-4371-BF8C-DF47C149BBD5@jonbaer.com> One of the best books Ive read(ing) in a while: Beautiful Code http://www.amazon.com/Beautiful-Code-Leading-Programmers-Practice/dp/ 0596510047/ref=pd_bbs_sr_1/104-9638236-3966325? ie=UTF8&s=books&qid=1189302826&sr=8-1 There are a few chapters which are gems in general thinking. - Jon On Sep 8, 2007, at 1:06 PM, Gary Mort wrote: > Just wondering what books and magazines people here particularly > like for PHP programming. Which are good for learning, and which > are good for reference. > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php -------------- next part -------------- An HTML attachment was scrubbed... URL: From selyah1 at yahoo.com Sat Sep 8 22:43:41 2007 From: selyah1 at yahoo.com (selyah) Date: Sat, 8 Sep 2007 19:43:41 -0700 (PDT) Subject: [nycphp-talk] Roll ove image In-Reply-To: <238877.68717.qm@web37914.mail.mud.yahoo.com> Message-ID: <390086.55950.qm@web30806.mail.mud.yahoo.com> thank you Jason Sia wrote: Hi, You can create function like this: Be sure to have an image with a good resolution so that it does not pixelize when you enlarge it ----- Original Message ---- From: selyah To: NYPHP Talk Sent: Saturday, September 8, 2007 1:12:55 PM Subject: [nycphp-talk] Roll ove image Hello ; I am in the process of completing a very complex php script and need to add a special effect using html. The effect that i have to do is a simple roll over images and upon each roll over with the mouse the images increase in size and then return back to the original size. The problem is that i am sure that this involves javascript and that is my weak point. Therefore, i am asking anyone who can assist with a sample code or know of a link that would be helpful. Thanks Send instant messages to your online friends http://uk.messenger.yahoo.com _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php -------------- next part -------------- An HTML attachment was scrubbed... URL: From selyah1 at yahoo.com Sat Sep 8 22:46:35 2007 From: selyah1 at yahoo.com (selyah) Date: Sat, 8 Sep 2007 19:46:35 -0700 (PDT) Subject: [nycphp-talk] Roll ove image In-Reply-To: <311ECA73-7DF4-4E90-86B6-92E03C87CD8D@jonbaer.com> Message-ID: <371650.71961.qm@web30805.mail.mud.yahoo.com> thank you Jon Baer wrote: Probably the best way Ive seen it implemented (and easiest) would be to use the Fisheye plugin for jQuery ... http://www.ndesign-studio.com/demo/css-dock-menu/css-dock.html * Download link (jQuery): http://docs.jquery.com/Downloading_jQuery#Current_Release * Download link (Fisheye): http://interface.eyecon.ro/download (Although the SVN copy of jQuery might have the latest version of this plugin - not 100% sure) - Jon On Sep 8, 2007, at 1:12 AM, selyah wrote: Hello ; I am in the process of completing a very complex php script and need to add a special effect using html. The effect that i have to do is a simple roll over images and upon each roll over with the mouse the images increase in size and then return back to the original size. The problem is that i am sure that this involves javascript and that is my weak point. Therefore, i am asking anyone who can assist with a sample code or know of a link that would be helpful. Thanks _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php -------------- next part -------------- An HTML attachment was scrubbed... URL: From jonbaer at jonbaer.com Sat Sep 8 23:05:38 2007 From: jonbaer at jonbaer.com (Jon Baer) Date: Sat, 8 Sep 2007 23:05:38 -0400 Subject: [nycphp-talk] CouchDB (PHP) Message-ID: So has anyone here played around w/ CouchDB @ all? http://blog.labnotes.org/2007/09/02/couchdb-thinking-beyond-the-rdbms/ http://couchdb.org/ PHP5 Client: http://couchprojects.googlecode.com/svn/trunk/libraries/php/CouchDb/ Im getting the vibe that it would be akin to say SQLite BLOBs w/ slick replication techniques, but have not seen it in action much, but the whole JSON in/out pipe is an interesting concept. People are trying to kill RDBMS more and more everyday :-\ - Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: From hart at saturn.med.nyu.edu Sat Sep 8 23:08:44 2007 From: hart at saturn.med.nyu.edu (Joshua Hart) Date: Sat, 08 Sep 2007 23:08:44 -0400 Subject: [nycphp-talk] Re: talk Digest, Vol 11, Issue 18 In-Reply-To: <67qvkr$1dr7a@mail3.nyumc.org> Message-ID: On 9/8/07 10:45 PM, "talk-request at lists.nyphp.org" wrote: > >> Oracle is instantclient ia64-10.2.0.3-20061230 >> >> oci8 version 1.2.3 revision 1.269.2.16.2.37 >> >> Here's my configure command for PHP: >> >> './configure' '--with-zlib' '--with-gd' '--with-jpeg' '--with-png' >> '--with-libxml2=/usr/bin' '--with-mysql=/usr/local/mysql5120' >> '--with-apxs2=/usr/local/apache2/bin/apxs' '--enable-ftp' >> '--with-imap-ssl=/usr/include/ssl' >> '--with-imap=/space/custom_builds/imap-stuff/' '--with-openssl' >> '--with-pam' '--with-dom' '--with-iconv' '--with-mbstring=all' >> '--with-mbregex' '--with-domsxlt' '--with-mcrypt' '--with-xml' >> '--with-mime-magic' '--enable-exif' '--enable-uploadprogress' >> '--with-xmlrpc' '--with-gettext' '--with-pgsql' >> '--with-oci8=instantclient,/usr/local/oracle' > > Hmm... since this is ia64, there is no lib64 anywhere right? Make sure PHP > is linking against the right libs. Sometimes lib64'ness isn't always > obvious. Try adding --with-libdir=lib64 to the PHP ./configure, but I'm not > sure on this. Ldd on the cli for php gives: ssaturn /usr/local# ldd /space/custom_builds/php-5.2.4/sapi/cli/php linux-gate.so.1 => (0xa000000000000000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x2000000000064000) libc-client.so => /space/custom_builds/imap-stuff//lib/libc-client.so (0x20000000000b4000) libpq.so.5 => /usr/local/pgsql/lib/libpq.so.5 (0x2000000000288000) librt.so.1 => /lib/librt.so.1 (0x20000000002dc000) libmysqlclient.so.15 => /usr/local/mysql5120/lib/libmysqlclient.so.15 (0x20000000002fc000) libmcrypt.so.4 => /usr/lib/libmcrypt.so.4 (0x2000000000528000) libltdl.so.3 => /usr/lib/libltdl.so.3 (0x2000000000588000) libdl.so.2 => /lib/libdl.so.2 (0x20000000005a8000) libpam.so.0 => /lib/libpam.so.0 (0x20000000005c0000) libpng.so.3 => /usr/lib/libpng.so.3 (0x20000000005e8000) libresolv.so.2 => /lib/libresolv.so.2 (0x200000000066c000) libm.so.6.1 => /lib/libm.so.6.1 (0x20000000006a0000) libnsl.so.1 => /lib/libnsl.so.1 (0x2000000000770000) libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x20000000007ac000) libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x200000000083c000) libclntsh.so.10.1 => /usr/local/oracle/libclntsh.so.10.1 (0x2000000000aa8000) libxml2.so.2 => /usr/lib/libxml2.so.2 (0x2000000002c90000) libc.so.6.1 => /lib/libc.so.6.1 (0x2000000002f40000) libimf.so.6 => /opt/intel/cc/9.1.037/lib/libimf.so.6 (0x2000000003190000) libirc.so => /opt/intel/cc/9.1.037/lib/libirc.so (0x2000000003440000) libipr.so.6 => /usr/local/oracle/libipr.so.6 (0x2000000003470000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x2000000003484000) libpthread.so.0 => /lib/libpthread.so.0 (0x20000000034a4000) /lib/ld-linux-ia64.so.2 (0x2000000000000000) libz.so.1 => /lib/libz.so.1 (0x20000000034dc000) libnnz10.so => /usr/local/oracle/libnnz10.so (0x2000000003510000) libunwind.so.7 => /lib/libunwind.so.7 (0x2000000003898000) > Another option would be to strip down the ./configure and add --disable-all. > Perhaps there are some conflicts with Oracle, lib64, etc. Then start to add > extensions to see if you can isolate the problem. > >> Again, I can successfully login to the oracle database, and the >> simplest of queries works. Anything "complicated" crashes the program. > > If I understand correctly - if you login via the Oracle client directly (so > no PHP involved), it'll still segfault when there's a complicated query? No.. What I was trying to say is that I can login to oracle via a PHP script. I can even do my query if I limit the data which is returned by oracle to less than 5 rows. As soon as I ask it to return 5 or more rows I get a segfault. In order to test the instantclient installatiton I installed the sqlplus "add on" for instantclient and it is able to connect to oracle and return all requested rows. When I use gdb to run the cli for php I get: gdb /space/custom_builds/php-5.2.4/sapi/cli/php GNU gdb 6.4 Copyright 2005 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "ia64-suse-linux"...Using host libthread_db library "/lib/libthread_db.so.1". (gdb) run /www/htdocs/nonsecure/con.html Starting program: /space/custom_builds/php-5.2.4/sapi/cli/php /www/htdocs/nonsecure/con.html [Thread debugging using libthread_db enabled] [New Thread 2305843009273028592 (LWP 27213)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 2305843009273028592 (LWP 27213)] 0x40000000005f6ba0 in _zval_ptr_dtor (zval_ptr=0x607ffffffebdb7f0) at /space/custom_builds/php-5.2.4/Zend/zend_execute_API.c:413 413 (*zval_ptr)->refcount--; (gdb) where #0 0x40000000005f6ba0 in _zval_ptr_dtor (zval_ptr=0x607ffffffebdb7f0) at /space/custom_builds/php-5.2.4/Zend/zend_execute_API.c:413 #1 0x400000000068d700 in zend_do_fcall_common_helper_SPEC (execute_data=0x607ffffffebdc370) at /space/custom_builds/php-5.2.4/Zend/zend_execute.h:155 #2 0x4000000000666a00 in execute (op_array=0x20000000039d4e40) at /space/custom_builds/php-5.2.4/Zend/zend_vm_execute.h:92 #3 0x40000000006188e0 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /space/custom_builds/php-5.2.4/Zend/zend.c:1134 #4 0x4000000000577bb0 in php_execute_script (primary_file=Cannot access memory at address 0x10 ) at /space/custom_builds/php-5.2.4/main/main.c:1982 #5 0x400000000076fa30 in main (argc=Cannot access memory at address 0x0 ) at /space/custom_builds/php-5.2.4/sapi/cli/php_cli.c:1140 (gdb) >From the stacktrace above looks like something is overflowing its bounds... I will try your suggested alternative option next and just build php with oracle only to see if I get the same problem. I also have started to download the full client from Oracle instead of the instantclient to see if it makes any sort of difference. Thanks, Joshua From codebowl at gmail.com Sun Sep 9 00:56:31 2007 From: codebowl at gmail.com (Joseph Crawford) Date: Sun, 9 Sep 2007 00:56:31 -0400 Subject: [nycphp-talk] Books & magazines In-Reply-To: <9CEFB170-CA95-4371-BF8C-DF47C149BBD5@jonbaer.com> References: <46E2D692.8020703@beezifies.com> <9CEFB170-CA95-4371-BF8C-DF47C149BBD5@jonbaer.com> Message-ID: <8d9a42800709082156q4345a090w3272ad2416c02dcb@mail.gmail.com> i had php|architect and loved it but there is also PHP Magazine which I never subscribed to. -- Joseph Crawford Jr. Zend Certified Engineer Codebowl Solutions, Inc. http://www.codebowl.com/ Blog: http://www.josephcrawford.com/ 1-802-671-2021 codebowl at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at zaunere.com Sun Sep 9 11:56:04 2007 From: lists at zaunere.com (Hans Zaunere) Date: Sun, 9 Sep 2007 11:56:04 -0400 Subject: [nycphp-talk] Re: talk Digest, Vol 11, Issue 18 In-Reply-To: References: <67qvkr$1dr7a@mail3.nyumc.org> Message-ID: <0d8e01c7f2f9$ed878a90$640aa8c0@MobileZ> Joshua Hart wrote on Saturday, September 08, 2007 11:09 PM: > On 9/8/07 10:45 PM, "talk-request at lists.nyphp.org" > wrote: > > > > > > Oracle is instantclient ia64-10.2.0.3-20061230 > > > > > > oci8 version 1.2.3 revision 1.269.2.16.2.37 > > > > > > Here's my configure command for PHP: > > > > > > './configure' '--with-zlib' '--with-gd' '--with-jpeg' '--with-png' > > > '--with-libxml2=/usr/bin' '--with-mysql=/usr/local/mysql5120' > > > '--with-apxs2=/usr/local/apache2/bin/apxs' '--enable-ftp' > > > '--with-imap-ssl=/usr/include/ssl' > > > '--with-imap=/space/custom_builds/imap-stuff/' '--with-openssl' > > > '--with-pam' '--with-dom' '--with-iconv' '--with-mbstring=all' > > > '--with-mbregex' '--with-domsxlt' '--with-mcrypt' '--with-xml' > > > '--with-mime-magic' '--enable-exif' '--enable-uploadprogress' > > > '--with-xmlrpc' '--with-gettext' '--with-pgsql' > > > '--with-oci8=instantclient,/usr/local/oracle' > > > > Hmm... since this is ia64, there is no lib64 anywhere right? Make > > sure PHP is linking against the right libs. Sometimes lib64'ness > > isn't always obvious. Try adding --with-libdir=lib64 to the PHP > > ./configure, but I'm not sure on this. > > Ldd on the cli for php gives: > ssaturn /usr/local# ldd /space/custom_builds/php-5.2.4/sapi/cli/php > linux-gate.so.1 => (0xa000000000000000) > libcrypt.so.1 => /lib/libcrypt.so.1 (0x2000000000064000) > libc-client.so => > /space/custom_builds/imap-stuff//lib/libc-client.so > (0x20000000000b4000) libpq.so.5 => > /usr/local/pgsql/lib/libpq.so.5 (0x2000000000288000) > librt.so.1 => /lib/librt.so.1 (0x20000000002dc000) > libmysqlclient.so.15 => /usr/local/mysql5120/lib/libmysqlclient.so.15 > (0x20000000002fc000) libmcrypt.so.4 => > /usr/lib/libmcrypt.so.4 (0x2000000000528000) libltdl.so.3 => > /usr/lib/libltdl.so.3 (0x2000000000588000) libdl.so.2 => > /lib/libdl.so.2 (0x20000000005a8000) libpam.so.0 => > /lib/libpam.so.0 (0x20000000005c0000) libpng.so.3 => > /usr/lib/libpng.so.3 (0x20000000005e8000) libresolv.so.2 => > /lib/libresolv.so.2 (0x200000000066c000) libm.so.6.1 => > /lib/libm.so.6.1 (0x20000000006a0000) libnsl.so.1 => > /lib/libnsl.so.1 (0x2000000000770000) libssl.so.0.9.8 => > /usr/lib/libssl.so.0.9.8 (0x20000000007ac000) > libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x200000000083c000) > libclntsh.so.10.1 => /usr/local/oracle/libclntsh.so.10.1 > (0x2000000000aa8000) > libxml2.so.2 => /usr/lib/libxml2.so.2 (0x2000000002c90000) > libc.so.6.1 => /lib/libc.so.6.1 (0x2000000002f40000) > libimf.so.6 => /opt/intel/cc/9.1.037/lib/libimf.so.6 > (0x2000000003190000) > libirc.so => /opt/intel/cc/9.1.037/lib/libirc.so > (0x2000000003440000) > libipr.so.6 => /usr/local/oracle/libipr.so.6 > (0x2000000003470000) libgcc_s.so.1 => /lib/libgcc_s.so.1 > (0x2000000003484000) libpthread.so.0 => /lib/libpthread.so.0 > (0x20000000034a4000) /lib/ld-linux-ia64.so.2 > (0x2000000000000000) libz.so.1 => /lib/libz.so.1 > (0x20000000034dc000) libnnz10.so => > /usr/local/oracle/libnnz10.so (0x2000000003510000) > libunwind.so.7 => /lib/libunwind.so.7 (0x2000000003898000) > > > > > > Another option would be to strip down the ./configure and add > > --disable-all. Perhaps there are some conflicts with Oracle, lib64, > > etc. Then start to add extensions to see if you can isolate the > > problem. > > > > > Again, I can successfully login to the oracle database, and the > > > simplest of queries works. Anything "complicated" crashes the > > > program. > > > > If I understand correctly - if you login via the Oracle client > > directly (so no PHP involved), it'll still segfault when there's a > > complicated query? > > No.. What I was trying to say is that I can login to oracle via a PHP > script. I can even do my query if I limit the data which is returned > by oracle to less than 5 rows. As soon as I ask it to return 5 or > more rows I get a segfault. > > In order to test the instantclient installatiton I installed the > sqlplus "add on" for instantclient and it is able to connect to > oracle and return all requested rows. > > When I use gdb to run the cli for php I get: > > gdb /space/custom_builds/php-5.2.4/sapi/cli/php > GNU gdb 6.4 > Copyright 2005 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and > you are welcome to change it and/or distribute copies of it under > certain conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for > details. This GDB was configured as "ia64-suse-linux"...Using host > libthread_db library "/lib/libthread_db.so.1". > > (gdb) run /www/htdocs/nonsecure/con.html > Starting program: /space/custom_builds/php-5.2.4/sapi/cli/php > /www/htdocs/nonsecure/con.html > [Thread debugging using libthread_db enabled] > [New Thread 2305843009273028592 (LWP 27213)] > > Program received signal SIGSEGV, Segmentation fault. > [Switching to Thread 2305843009273028592 (LWP 27213)] > 0x40000000005f6ba0 in _zval_ptr_dtor (zval_ptr=0x607ffffffebdb7f0) at > /space/custom_builds/php-5.2.4/Zend/zend_execute_API.c:413 > 413 (*zval_ptr)->refcount--; > (gdb) where > #0 0x40000000005f6ba0 in _zval_ptr_dtor > (zval_ptr=0x607ffffffebdb7f0) at > /space/custom_builds/php-5.2.4/Zend/zend_execute_API.c:413 #1 > 0x400000000068d700 in zend_do_fcall_common_helper_SPEC > (execute_data=0x607ffffffebdc370) at > /space/custom_builds/php-5.2.4/Zend/zend_execute.h:155 #2 > 0x4000000000666a00 in execute (op_array=0x20000000039d4e40) at > /space/custom_builds/php-5.2.4/Zend/zend_vm_execute.h:92 #3 > 0x40000000006188e0 in zend_execute_scripts (type=8, retval=0x0, > file_count=3) at /space/custom_builds/php-5.2.4/Zend/zend.c:1134 #4 > 0x4000000000577bb0 in php_execute_script (primary_file=Cannot access > memory at address 0x10 ) at > /space/custom_builds/php-5.2.4/main/main.c:1982 #5 > 0x400000000076fa30 in main (argc=Cannot access memory at address 0x0 > ) at /space/custom_builds/php-5.2.4/sapi/cli/php_cli.c:1140 (gdb) > > > From the stacktrace above looks like something is overflowing its > > bounds... > > I will try your suggested alternative option next and just build php > with oracle only to see if I get the same problem. Yeah - I'd almost bet that it looks like a bad pointer/int on 64bit which is probably a bug in PHP/Zend. Try doing a minimal configure which can also help in reporting a bug. > I also have started to download the full client from Oracle instead > of the instantclient to see if it makes any sort of difference. Would be interested to know if this makes a difference - I think there's been some rumblings of problems with instantclient. H From chsnyder at gmail.com Sun Sep 9 18:18:42 2007 From: chsnyder at gmail.com (csnyder) Date: Sun, 9 Sep 2007 18:18:42 -0400 Subject: [nycphp-talk] CouchDB (PHP) In-Reply-To: References: Message-ID: On 9/8/07, Jon Baer wrote: > So has anyone here played around w/ CouchDB @ all? That should make some heads spin. > Im getting the vibe that it would be akin to say SQLite BLOBs w/ slick > replication techniques, but have not seen it in action much, but the whole > JSON in/out pipe is an interesting concept. People are trying to kill RDBMS > more and more everyday :-\ The cross-platform-ness of the CouchDB server implies that you might replicate a shared database onto each workstation that accesses it. What I don't see from the initial documentation and demos is a writeup of how the bi-directional sync works, and whether it can be manually triggered ("sync database now") from within an app. Very cool, though. It seems like you could mix in some xml db functionality, too, like creating a view of all of the links in a collection of documents. -- Chris Snyder http://chxo.com/ From jakob.buchgraber at googlemail.com Mon Sep 10 11:57:14 2007 From: jakob.buchgraber at googlemail.com (Jakob Buchgraber) Date: Mon, 10 Sep 2007 17:57:14 +0200 Subject: [nycphp-talk] Check for absolute path (cross platform) Message-ID: <46E5695A.1030302@gmail.com> I wrote a function that searches for a file within the include_path. Here it is: function ppcIncludize ($path) { // check for absolute path if ($path[0] == "/" || $path[1] == ":") { if (file_exists ($path)) { return $path; } return false; } $includePath = get_include_path(); foreach (explode (PATH_SEPARATOR, $includePath) as $directory) { $tmpPath = "$directory/$path"; if (file_exists ($tmpPath)) { return $tmpPath; } } return false; } This function only makes sense if the parameter given is a relative path to a file or folder and as this is not always the case I first check if it's an absolute path. So for unix systems it's quite easy, just need to check for / at the beginning, but on windows I am not sure as I don't use and have never developed under Windows. However as far as I know a absolute path starts with a drive letter e.g. C followed by a :. So I just check for the : . I am not a 100% sure if this works, so may anybody test it for me or at least tell me if I am write with my assumption about windows path names. Thanks! Jakob -- Sun Certified Programmer for the Java 2 Platform, Standard Edition 5.0 From lists at enobrev.com Mon Sep 10 13:05:03 2007 From: lists at enobrev.com (Mark Armendariz) Date: Mon, 10 Sep 2007 13:05:03 -0400 Subject: [nycphp-talk] Check for absolute path (cross platform) In-Reply-To: <46E5695A.1030302@gmail.com> References: <46E5695A.1030302@gmail.com> Message-ID: <46E5793F.5070308@enobrev.com> Jakob Buchgraber wrote: > I wrote a function that searches for a file within the include_path. > Here it is: > > // check for absolute path > if ($path[0] == "/" || $path[1] == ":") { > if (file_exists ($path)) { > return $path; > } > > return false; > } What about if (str_replace('\\', '/', $path) == str_replace('\\','/', realpath($path))) Mark From danielc at analysisandsolutions.com Tue Sep 11 10:20:16 2007 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Tue, 11 Sep 2007 10:20:16 -0400 Subject: [nycphp-talk] Check for absolute path (cross platform) In-Reply-To: <46E5695A.1030302@gmail.com> References: <46E5695A.1030302@gmail.com> Message-ID: <20070911142016.GA4600@panix.com> Hi Jakob: On Mon, Sep 10, 2007 at 05:57:14PM +0200, Jakob Buchgraber wrote: > I wrote a function that searches for a file within the include_path. Why? PHP's include does all of this for you better and fasater. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From jkelly at sussex.edu Tue Sep 11 12:12:38 2007 From: jkelly at sussex.edu (jessica kelly) Date: Tue, 11 Sep 2007 12:12:38 -0400 Subject: [nycphp-talk] WebServer Probs - OT? Message-ID: <46E686360200008A0000F987@mail.sussex.edu> Hi Everyone I am having problems with a webserver and a xampp type setup. I need to find some free or near free monitoring tool to see the process (apache php mysql mailclient etc...) load on the server, any processes that may be tying up the server/cpu and anything else that may help point out the problem. It's a older Win box and I have access to a Linux box if I need to run it on Linux with a client on the win box. I have looked at Nagios & Cacti but I'm not sure it does what I'm looking for or if there even close to what I need. I'm getting over whelmed with the choices that turn up in a search. Does anyone have any recommendations as to what software may works. Sincerely, Jessica Kelly From ajai at bitblit.net Tue Sep 11 12:18:08 2007 From: ajai at bitblit.net (Ajai Khattri) Date: Tue, 11 Sep 2007 12:18:08 -0400 (EDT) Subject: [nycphp-talk] WebServer Probs - OT? In-Reply-To: <46E686360200008A0000F987@mail.sussex.edu> Message-ID: On Tue, 11 Sep 2007, jessica kelly wrote: > I have looked at Nagios & Cacti but I'm not sure it does what I'm > looking for or if there even close to what I need. I'm getting over > whelmed with the choices that turn up in a search. A lot of people use Nagios for monitoring - which begs the question why do you think it doesn't do what you need? Over here, we have deployed Zabbix for monitoring. -- Aj. From bz-gmort at beezifies.com Tue Sep 11 13:07:56 2007 From: bz-gmort at beezifies.com (Gary Mort) Date: Tue, 11 Sep 2007 13:07:56 -0400 Subject: [nycphp-talk] Microsoft Access Message-ID: <46E6CB6C.8070906@beezifies.com> I'm looking around for a way to access some microsoft access database info on linux(sorry, netbsd, but it should work mostly the same, right? :-)) So far, mdbtools looks the most promising: http://mdbtools.sourceforge.net/ I was wondering if anyone else had any promising steps? From wfan at VillageVoice.com Tue Sep 11 13:26:41 2007 From: wfan at VillageVoice.com (Fan, Wellington) Date: Tue, 11 Sep 2007 13:26:41 -0400 Subject: [nycphp-talk] Apache bench (ab) [OT] Message-ID: <4D2FAD9B00577645932AD7ED5FECA2450324A020@mail> Hey all, I was using ab for some very simple load testing. $ ab -n100 http://192.168.34.6/hits.php Generates 100 access log lines. $ ab -n100 -c100 http://192.168.34.6/hits.php Generates *roughly* 200... Huh? -- Wellington Fan wfan at villagevoice.com From rharding at mitechie.com Tue Sep 11 13:37:24 2007 From: rharding at mitechie.com (Rick Harding) Date: Tue, 11 Sep 2007 13:37:24 -0400 Subject: [nycphp-talk] Apache bench (ab) [OT] In-Reply-To: <4D2FAD9B00577645932AD7ED5FECA2450324A020@mail> References: <4D2FAD9B00577645932AD7ED5FECA2450324A020@mail> Message-ID: <46E6D254.7000304@mitechie.com> Fan, Wellington wrote: > Hey all, > > I was using ab for some very simple load testing. > > > $ ab -n100 http://192.168.34.6/hits.php > > Generates 100 access log lines. > > > > $ ab -n100 -c100 http://192.168.34.6/hits.php > > Generates *roughly* 200... > > > > Huh? > Retries perhaps? i.e. you tried to run 100 concurrent requests, not all got served so they retried? Rick From lk613m at yahoo.com Tue Sep 11 15:49:07 2007 From: lk613m at yahoo.com (LK) Date: Tue, 11 Sep 2007 12:49:07 -0700 (PDT) Subject: [nycphp-talk] ORM anyone? Message-ID: <581333.49724.qm@web53305.mail.re2.yahoo.com> Hello, Please help me in overcoming a mental block about this wonderful thing called ORM. By reading some examples on using ORM, such as setting up Author/Books parent/child objects, I notice that each author and each book has to be individually assigned in the PHP script and saved. This is what I don't understand, 1. if my database contains thousands of authors and 100's of thousands of books, I have to 1) create each new object 2) assign each field value to it and 3) save it, and do this for 100's of thousands of records? Somehow that just does not make sense, since the records are already in the database, why do I have to save(..) them again? 2. If I have an existing database with 100's of thousands of rows already populated, how does ORM know which record corresponds to which php object? In other words, how do I just start using existing mysql records as php objects? 3. If an existing database has many relations between tables, how do I form complex joins between them using ORM? Thanks for your response Leo ____________________________________________________________________________________ Shape Yahoo! in your own image. Join our Network Research Panel today! http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 -------------- next part -------------- An HTML attachment was scrubbed... URL: From chsnyder at gmail.com Tue Sep 11 16:21:30 2007 From: chsnyder at gmail.com (csnyder) Date: Tue, 11 Sep 2007 16:21:30 -0400 Subject: [nycphp-talk] ORM anyone? In-Reply-To: <581333.49724.qm@web53305.mail.re2.yahoo.com> References: <581333.49724.qm@web53305.mail.re2.yahoo.com> Message-ID: On 9/11/07, LK wrote: > Please help me in overcoming a mental block about this wonderful thing > called ORM. ORM is a concept, not a defined system. It may help to get your questions answered if you say whether you are using an existing framework or designing your own. > 1. if my database contains thousands of authors and 100's of thousands of > books, I have to 1) create each new object 2) assign each field value to it > and 3) save it, and do this for 100's of thousands of records? Somehow that > just does not make sense, since the records are already in the database, why > do I have to save(..) them again? You could think of it as exporting records from your existing database into your new object model. It's a one-time operation across all of your data. > 2. If I have an existing database with 100's of thousands of rows already > populated, how does ORM know which record corresponds to which php object? > In other words, how do I just start using existing mysql records as php > objects? It doesn't. You create those relations as you build and store the new objects. > 3. If an existing database has many relations between tables, how do I form > complex joins between them using ORM? Depends on the system. If you have an existing database with complex relations, why are you considering breaking it by migrating to something new? -- Chris Snyder http://chxo.com/ From ken at secdat.com Tue Sep 11 16:27:37 2007 From: ken at secdat.com (Kenneth Downs) Date: Tue, 11 Sep 2007 16:27:37 -0400 Subject: [nycphp-talk] ORM anyone? In-Reply-To: <581333.49724.qm@web53305.mail.re2.yahoo.com> References: <581333.49724.qm@web53305.mail.re2.yahoo.com> Message-ID: <46E6FA39.7000608@secdat.com> LK wrote: > Hello, > > Please help me in overcoming a mental block about this wonderful thing > called ORM. > > By reading some examples on using ORM, such as setting up Author/Books > parent/child objects, I notice that each author and each book has to > be individually assigned in the PHP script and saved. This is what I > don't understand, > > 1. if my database contains thousands of authors and 100's of thousands > of books, I have to 1) create each new object 2) assign each field > value to it and 3) save it, and do this for 100's of thousands of > records? Somehow that just does not make sense, since the records are > already in the database, why do I have to save(..) them again? Are you asking if it is necessary to create code that reproduces each row in each table in the database? If so, the answer is no, definitely not. > > 2. If I have an existing database with 100's of thousands of rows > already populated, how does ORM know which record corresponds to which > php object? In other words, how do I just start using existing mysql > records as php objects? Presumably the user has indicated which row they want, usually as a result of some search. You then instantiate a new object and populate it with those rows. > > 3. If an existing database has many relations between tables, how do I > form complex joins between them using ORM? PHP is a record-oriented step-wise language. It is good for writing programs with loops and if-then and case and so forth. It is not good at manipulating sets of table-based data. For manipulating sets of table-based data we use SQL (at least I do). As you may guess, I'm no fan of ORM. The main reason is what I just said above. OO code and table-based data are two very different beasts with very different natures. ORM tries to make one look like the other. Why would anybody want to do this? Hell if I know. That being said, there are plenty of "solutions" out there that try to get around this. IMHO they are all Rube Goldberg machines. > > Thanks for your response > > Leo > > ------------------------------------------------------------------------ > Need a vacation? Get great deals to amazing places > on > Yahoo! Travel. > ------------------------------------------------------------------------ > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ajai at bitblit.net Tue Sep 11 17:15:59 2007 From: ajai at bitblit.net (Ajai Khattri) Date: Tue, 11 Sep 2007 17:15:59 -0400 (EDT) Subject: [nycphp-talk] ORM anyone? In-Reply-To: <46E6FA39.7000608@secdat.com> Message-ID: On Tue, 11 Sep 2007, Kenneth Downs wrote: > As you may guess, I'm no fan of ORM. The main reason is what I just > said above. OO code and table-based data are two very different beasts > with very different natures. ORM tries to make one look like the > other. Why would anybody want to do this? For a couple of reasons: 1) Dealing with SQL from an OOP programming language is not natural. 2) Conceptual relationships are easier to deal with via objects. 3) It gives you a layer of abstraction above the database to the degree that it doesn't matter what the underlying database actually is, you have a uniform interface always. Doesn't matter if you switch SQLlite to MySQL to Postgres - all looks the same. -- Aj. From ken at secdat.com Tue Sep 11 19:07:04 2007 From: ken at secdat.com (Ken Downs) Date: Tue, 11 Sep 2007 19:07:04 -0400 Subject: [nycphp-talk] ORM anyone? In-Reply-To: References: Message-ID: Ajai Khattri <ajai at bitblit.net> wrote: > On Tue, 11 Sep 2007, Kenneth Downs wrote: > > > As you may guess, I'm no fan of ORM. The main reason is what I just > > said above. OO code and table-based data are two very different beasts > > with very different natures. ORM tries to make one look like the > > other. Why would anybody want to do this? > > For a couple of reasons: > > 1) Dealing with SQL from an OOP programming language is not natural.That's a personal opinion, not a system requirement.Hey, that's fine.  My opinion is that generating SQL is natural and easy, a little easier than generating HTML. > > 2) Conceptual relationships are easier to deal with via objects.What's a "conceptual relationship?"  If you put your data into tables, then the relationships between the tables are foreign keys.  That's easier to handle in set-based SQL, the language that was designed to do it. > > 3) It gives you a layer of abstraction above the database to the > degree that it doesn't matter what the underlying database > actually is, you have a uniform interface always. Doesn't matter > if you switch SQLlite to MySQL to Postgres - all looks the same. > Actually you don't need ORM for that, you just need a generalized set of commands, like "db_query" instead of "pg_query" and "mysql_query".  _________________________________________________________ This mail sent using V-webmail - http://www.v-webmail.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From ramons at gmx.net Tue Sep 11 20:10:36 2007 From: ramons at gmx.net (David Krings) Date: Tue, 11 Sep 2007 20:10:36 -0400 Subject: [nycphp-talk] Microsoft Access In-Reply-To: <46E6CB6C.8070906@beezifies.com> References: <46E6CB6C.8070906@beezifies.com> Message-ID: <46E72E7C.7060501@gmx.net> Gary Mort wrote: > I'm looking around for a way to access some microsoft access database > info on linux(sorry, netbsd, but it should work mostly the same, right? > :-)) > > So far, mdbtools looks the most promising: http://mdbtools.sourceforge.net/ > > I was wondering if anyone else had any promising steps? Doesn't PHP have a module to access Access dbs directly? No clue if that needs to have Access itself installed. You could see if you can hook something up through OOo. Other than that, no idea. David From ajai at bitblit.net Tue Sep 11 20:22:04 2007 From: ajai at bitblit.net (Ajai Khattri) Date: Tue, 11 Sep 2007 20:22:04 -0400 (EDT) Subject: [nycphp-talk] ORM anyone? In-Reply-To: Message-ID: > On Tue, 11 Sep 2007, Kenneth Downs wrote: > > That's a personal opinion, not a system requirement. We *can* agree that SQL is not PHP (or Ruby or Python). > What's a "conceptual relationship?" If you put your data into tables, > then the relationships between the tables are foreign keys. That's easier > to handle in set-based SQL, the language that was designed to do it. Noone writes apps in pure SQL :-) One has to take off their OOP hat, replace with a SQL hat, and translate what you are trying to build into whatever tables / rows / columns / relations you can model in SQL. So if you're using an OOP language (and I do include PHP5 in that category) you have to do that mapping anyway (until we get object-based databases perhaps). In fact, most data structures need to be mapped (how do you store a tree in a relational database? You don't, at least not without some mapping process to SQL). >Actually you don't need ORM for that, you just need a generalized set of > commands, like "db_query" instead of "pg_query" and "mysql_query". In other words, another layer of abstraction? Like ORM but not using objects? :-) For me, it comes down to a choice between dealing with mappings and all the database plumbing that that entails vs. letting an ORM layer manage all that so I can concentrate on business logic and application flow. Of course, there's always a trade off, like most things - I just think writing say: event = Event.find(1) event.title = "New title" event.save more naturally expresses what Im doing than: UPDATE events SET TITLE="New title" where id=1 Once you start defining and updating many-to-many relationships, the SQL becomes much more complex compared to writing code. I know I won't convince you but I think it important for people to hear both sides and make up their own minds. p.s. What the hell is v-webmail? Your email was unreplyable in Pine and WebMail. I had to manually copy and paste your comments... -- Aj. From ajai at bitblit.net Tue Sep 11 20:24:50 2007 From: ajai at bitblit.net (Ajai Khattri) Date: Tue, 11 Sep 2007 20:24:50 -0400 (EDT) Subject: [nycphp-talk] Microsoft Access In-Reply-To: <46E72E7C.7060501@gmx.net> Message-ID: On Tue, 11 Sep 2007, David Krings wrote: > Gary Mort wrote: > > I'm looking around for a way to access some microsoft access database > > info on linux(sorry, netbsd, but it should work mostly the same, right? > > :-)) > > > > So far, mdbtools looks the most promising: http://mdbtools.sourceforge.net/ > > > > I was wondering if anyone else had any promising steps? > > Doesn't PHP have a module to access Access dbs directly? No clue if that > needs to have Access itself installed. You could see if you can hook > something up through OOo. What about using ODBC to talk to Access? -- Aj. From bz-gmort at beezifies.com Tue Sep 11 20:36:27 2007 From: bz-gmort at beezifies.com (Gary Mort) Date: Tue, 11 Sep 2007 20:36:27 -0400 Subject: [nycphp-talk] Microsoft Access In-Reply-To: References: Message-ID: <46E7348B.2030403@beezifies.com> Ajai Khattri wrote: > On Tue, 11 Sep 2007, David Krings wrote: > > >> Doesn't PHP have a module to access Access dbs directly? No clue if that >> needs to have Access itself installed. You could see if you can hook >> something up through OOo. >> > > > What about using ODBC to talk to Access? > > > Both methods seem to require running on windows so you have the windows drivers to access the access database. I'd rather do all my processing on the netbsd platform. From chsnyder at gmail.com Tue Sep 11 23:04:23 2007 From: chsnyder at gmail.com (csnyder) Date: Tue, 11 Sep 2007 23:04:23 -0400 Subject: [nycphp-talk] Microsoft Access In-Reply-To: <46E7348B.2030403@beezifies.com> References: <46E7348B.2030403@beezifies.com> Message-ID: On 9/11/07, Gary Mort wrote: > I'd rather do all my processing on the netbsd platform. Are you sure you wouldn't rather export from Access to CSV and process that? I can see the appeal of accessing the .mdb directly (via samba?) but unless you need to do so in real time... Well, another option might be to use MSDE or SQL Server as a backend, but now I'm way out of my league. -- Chris Snyder http://chxo.com/ From rahmin at insite-out.com Wed Sep 12 05:39:30 2007 From: rahmin at insite-out.com (Rahmin Pavlovic) Date: Wed, 12 Sep 2007 05:39:30 -0400 Subject: [nycphp-talk] "net" as timestamp? Message-ID: Found a weird one today: echo date("Y-m-d H:i:s T", time()) . "\n"; echo date("Y-m-d H:i:s T", strtotime('net surfing')) . "\n"; echo date("Y-m-d H:i:s T", strtotime('surfing net')) . "\n"; Echoes: 2007-09-12 05:29:41 EDT 2007-09-12 01:09:41 EDT 1969-12-31 19:00:00 EST Why does "net" return 4hr + 20min ago, and why do I feel like I already lived it? More importantly, does anyone know a list of reserved date terms I can parse out? From anieshjoseph at gmail.com Wed Sep 12 06:06:46 2007 From: anieshjoseph at gmail.com (Aniesh joseph) Date: Wed, 12 Sep 2007 15:36:46 +0530 Subject: [nycphp-talk] Keep login on two sites simultaneously by just login in any of the two sites.. Message-ID: <1b3d2fde0709120306s798af328ne2c27eb626b71b4d@mail.gmail.com> Hello, Is it possible to share the session in two sites? I have two sites both of them having same contents(login id & password) in the database.. So someone login in siteA, possible to login in siteB automatically? So a person login in siteA and opens the siteB(same browser or in a seperate browser), Can I show that the person is logined in siteB also ? Could someone help me? Thanks & Regards, Aniesh Joseph -------------- next part -------------- An HTML attachment was scrubbed... URL: From rahmin at insite-out.com Wed Sep 12 06:28:38 2007 From: rahmin at insite-out.com (Rahmin Pavlovic) Date: Wed, 12 Sep 2007 06:28:38 -0400 Subject: [nycphp-talk] Keep login on two sites simultaneously by just login in any of the two sites.. In-Reply-To: <1b3d2fde0709120306s798af328ne2c27eb626b71b4d@mail.gmail.com> Message-ID: Aniesh joseph wrote: > Hello, > > Is it possible to share the session in two sites? I have two sites both of > them having same contents(login id & password) in the database.. So someone > login in siteA, possible to login in siteB automatically? > I like to keep a sort of "bridge" table for things like this. Say, user logs into site A, and their session id -- or some hash of their personal data -- gets stored in the bridge table with a timestamp (and user id, or whatever else you want to link up to). If you drive content from one site to another, you could append their session id to the URL, and lookup that user on site B, within a given timeframe (say, 30min since the bridge timestamp was inserted). If the user/pass info is exactly the same on both sites, you could store a hash of that in the bridge table (as opposed to the session). If logins to site B are sensitive, you could include a counter in the bridge table to only allow one concurrent login. From ken at secdat.com Wed Sep 12 07:28:45 2007 From: ken at secdat.com (Kenneth Downs) Date: Wed, 12 Sep 2007 07:28:45 -0400 Subject: [nycphp-talk] ORM anyone? In-Reply-To: References: Message-ID: <46E7CD6D.6060006@secdat.com> Ajai Khattri wrote: >> On Tue, 11 Sep 2007, Kenneth Downs wrote: >> >> That's a personal opinion, not a system requirement. >> > > We *can* agree that SQL is not PHP (or Ruby or Python). > Sure. > > >> What's a "conceptual relationship?" If you put your data into tables, >> then the relationships between the tables are foreign keys. That's easier >> to handle in set-based SQL, the language that was designed to do it. >> > > Noone writes apps in pure SQL :-) > > One has to take off their OOP hat, replace with a SQL hat, and > translate what you are trying to build into whatever tables / rows / > columns / relations you can model in SQL. So if you're using an OOP > language (and I do include PHP5 in that category) you have to do that > mapping anyway (until we get object-based databases perhaps). In fact, > most data structures need to be mapped (how do you store a tree in a > relational database? You don't, at least not without some mapping > process to SQL). > > What I am saying is no, you don't have to do that mapping, not if you think of data in terms of tables and rows, which is after all what it is, and think of code in terms of functions and classes, which is, after all, what it is. OOP is wonderful for organizing code. I have always found it superb at organizing UI based code, but horrible for business rules. But my central point is that code is so different from table-based data, it requires different "hats" as you say above, that trying to make one look like the other is ultimately counter-productive. In particular, I find it a mistake to make an object for each table and then to try to extend the object model to handle things like foreign keys. Consider an analogy. Most PHP programmers must learn HTML, CSS, and Javascript to some level of competence in order to code in PHP. This is considered necessary and good, and we encourage one another to learn to do that stuff right, the way it wants to be done. But come the database and we all decide we can somehow avoid learning the principles of DB design and try to make it look like PHP code. We accept the obligation to learn HTML, CSS and Javascript, and even a few things about HTTP headers and so forth, but we think it is optional to learn SQL and to treat the database as what it is. That really puzzles me. The only explanation I can come up with is people must be using really simple databases so that the inefficiencies at large table counts just never show up. This is probably where we simply disagree, though I hope we've fleshed out the positions to the point of usefulness to somebody sitting on the fence. > >> Actually you don't need ORM for that, you just need a generalized set of >> commands, like "db_query" instead of "pg_query" and "mysql_query". >> > > In other words, another layer of abstraction? Like ORM but not using > objects? :-) For me, it comes down to a choice between dealing with mappings > and all the database plumbing that that entails vs. letting an ORM layer > manage all that so I can concentrate on business logic and application > flow. > > Of course, there's always a trade off, like most things - I just think > writing say: > > event = Event.find(1) > event.title = "New title" > event.save > > more naturally expresses what Im doing than: > > UPDATE events SET TITLE="New title" where id=1 > ORM is definitely not a generalized (or abstracted as we say incorrectly these days) database layer. It is the attempt to cast database operations in object-oriented actions, using objects to implement validation, relationships, and other stuff. Your example above, by contrast, is not really ORM, it is just an update routine implemented using OO code. My own looks very similar but does not use OO code, because none is necessary: $row = array(); $row['first_name'] = 'Arkady'; $row['last_name'] = 'Bogdanov'; sql_insert('sometable',$row); ...and you can do the same for the other three basic operations of delete, update, and select. But your example and mine both stress what I said in the beginning, PHP is fine for row-by-row operations, that is what it is good at. But when you need to start doing reporting or on-screen displays, and the query requires even one or two joins, your performance tanks unless you just break down and write the query: SELECT blah,blah,blah FROM table 1 JOIN table 2 on x = y WHERE filters,filters,filters Then recurse through the results and spit out your HTML or generate your PDF or whatever. Trying to treat the rows as objects in that case is taking a good idea where it was never meant to go. > Once you start defining and updating many-to-many relationships, the SQL > becomes much more complex compared to writing code. > Again, not my experience. But that is probably because I implement the business logic on the database server, and I generate the code to do so out of a data dictionary. I haven't manually coded that stuff for 3 years and I hope I never have to again :) > I know I won't convince you but I think it important for people to hear > both sides and make up their own minds. > > Yup, couldn't agree more. It has been fun debating the topic. -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 -------------- next part -------------- An HTML attachment was scrubbed... URL: From arzala at gmail.com Wed Sep 12 07:39:37 2007 From: arzala at gmail.com (Anirudh Zala) Date: Wed, 12 Sep 2007 17:09:37 +0530 Subject: [nycphp-talk] Keep login on two sites simultaneously by just login in any of the two sites.. In-Reply-To: References: Message-ID: <200709121709.37595.arzala@gmail.com> On Wednesday 12 Sep 2007 15:58:38 Rahmin Pavlovic wrote: > Aniesh joseph wrote: > > Hello, > > > > Is it possible to share the session in two sites? I have two sites both > > of them having same contents(login id & password) in the database.. So > > someone login in siteA, possible to login in siteB automatically? > > I like to keep a sort of "bridge" table for things like this. > > Say, user logs into site A, and their session id -- or some hash of their > personal data -- gets stored in the bridge table with a timestamp (and user > id, or whatever else you want to link up to). > > If you drive content from one site to another, you could append their > session id to the URL, and lookup that user on site B, within a given > timeframe (say, 30min since the bridge timestamp was inserted). > > If the user/pass info is exactly the same on both sites, you could store a > hash of that in the bridge table (as opposed to the session). > > If logins to site B are sensitive, you could include a counter in the > bridge table to only allow one concurrent login. If you are using session cookies (which is used on most of implementations) then you can share it among multiple sites if base domain is same. For example if siteA is http://www.example.com and siteB is http://subsite.example.com then you can read session cookies of 1 site from another (and vice versa, provided that you set cookies the way it is required) hence no need to store data into table or to pass any hash or string into URL. Yahoo uses this technique because structure of it's services are like autos.yahoo.com, mail.yahoo.com etc. Hence they can share same cookies on all services as main domain (yahoo.com) is same. This method can work only if you have 2 websites with above domain name pattern. But if you have 2 different domains then method shown by Rahmin is must. > > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php From chsnyder at gmail.com Wed Sep 12 08:22:04 2007 From: chsnyder at gmail.com (csnyder) Date: Wed, 12 Sep 2007 08:22:04 -0400 Subject: [nycphp-talk] "net" as timestamp? In-Reply-To: References: Message-ID: On 9/12/07, Rahmin Pavlovic wrote: > > Why does "net" return 4hr + 20min ago, and why do I feel like I already > lived it? Looks like an inside joke. grep net ext/date/lib/* timezonemap.h: { "net", 0, 1200, "Europe/Amsterdam" }, Some kind of "special" timezone for Amsterdam. Sigh. -- Chris Snyder http://chxo.com/ From chsnyder at gmail.com Wed Sep 12 08:23:29 2007 From: chsnyder at gmail.com (csnyder) Date: Wed, 12 Sep 2007 08:23:29 -0400 Subject: [nycphp-talk] "net" as timestamp? In-Reply-To: References: Message-ID: On 9/12/07, csnyder wrote: > Some kind of "special" timezone for Amsterdam. Sigh. Actually, my bad pattern matching brain. It's a real timezone for Netherlands. Seems like a bug if it's giving you the wrong time. /shame -- Chris Snyder http://chxo.com/ From lists at zaunere.com Wed Sep 12 10:13:15 2007 From: lists at zaunere.com (Hans Zaunere) Date: Wed, 12 Sep 2007 10:13:15 -0400 Subject: [nycphp-talk] ReMIX 07 Free Passes Message-ID: <007101c7f547$0f7111e0$651ba8c0@MobileZ> Hello all, We have free conference passes to Microsoft's ReMIX07 conference in Boston, October 8-9. "Multi-track sessions for designers and developers covering Silverlight, AJAX, Virtual Earth, .Net 3.0/3.5, Expression and Visual Studio" http://www.remix07boston.com/ Including, of course, a PHP talk "Partying with PHP (...and the Microsoft Platform)" RSVP Code: RM07WDS I'll look to be at the conference as well, so hope to see a few there. --- Hans Zaunere / President / New York PHP www.nyphp.org / www.nyphp.com From rahmin at insite-out.com Wed Sep 12 12:16:29 2007 From: rahmin at insite-out.com (Rahmin Pavlovic) Date: Wed, 12 Sep 2007 12:16:29 -0400 Subject: [nycphp-talk] "net" as timestamp? In-Reply-To: Message-ID: csnyder wrote: > grep net ext/date/lib/* > timezonemap.h: { "net", 0, 1200, "Europe/Amsterdam" }, > Sweet jelly--looks like there're a lot of those: http://tinyurl.com/yphczl Would you happen to know of any parsers out there? From rmarscher at beaffinitive.com Wed Sep 12 12:36:31 2007 From: rmarscher at beaffinitive.com (Rob Marscher) Date: Wed, 12 Sep 2007 12:36:31 -0400 Subject: [nycphp-talk] ORM anyone? In-Reply-To: <46E7CD6D.6060006@secdat.com> References: <46E7CD6D.6060006@secdat.com> Message-ID: <1B6E2849-5D5A-4220-85F0-E6ABC97BFA24@beaffinitive.com> I think ORM definitely fits a lot of common models. It can be great for rapid development which is why frameworks like Ruby on Rails and CakePHP have it build in. You just define the fields and the relationships to other objects and the built in methods for saving the objects (which will maintain your foreign keys), retrieving an object (and their related objects), and get listings of objects work without any additional coding. There are other cases where you might need tables that don't fit to an OOP model -- or you need custom sql to get the best optimized listings. Even if you use ORM, you still need to understand the SQL layer underneath to really optimize your application. I haven't used the open source php ORM solutions (Propel, CakePHP, etc) -- but I hear there are ways to configure/tune them to get better optimized sql under-the-covers. That would be a presentation I'd like to see. Anyone have experience with this? -Rob From jonbaer at jonbaer.com Wed Sep 12 13:07:47 2007 From: jonbaer at jonbaer.com (Jon Baer) Date: Wed, 12 Sep 2007 13:07:47 -0400 Subject: [nycphp-talk] ORM anyone? In-Reply-To: <1B6E2849-5D5A-4220-85F0-E6ABC97BFA24@beaffinitive.com> References: <46E7CD6D.6060006@secdat.com> <1B6E2849-5D5A-4220-85F0-E6ABC97BFA24@beaffinitive.com> Message-ID: <13B80C7D-1210-4906-9959-08AB7BD4EB41@jonbaer.com> (This might have already been mentioned, sorry lost some emails) ... I think no matter what ORM framework you pick you always have to look @ its lazy + eager loading options (this is even before the optimization). You can run into big problems if you don't consider the timing of data in your app, most ORM fanatics think its great that you get all that functionality and some praise caching as a solution but never realize they are working with stale child objects in the end and have to code workarounds themselves. For the most part the agile benefit of using it in dev environment outweighs this issue but definitely something to review in a project. - Jon On Sep 12, 2007, at 12:36 PM, Rob Marscher wrote: > I think ORM definitely fits a lot of common models. It can be > great for rapid development which is why frameworks like Ruby on > Rails and CakePHP have it build in. You just define the fields and > the relationships to other objects and the built in methods for > saving the objects (which will maintain your foreign keys), > retrieving an object (and their related objects), and get listings > of objects work without any additional coding. > > There are other cases where you might need tables that don't fit to > an OOP model -- or you need custom sql to get the best optimized > listings. Even if you use ORM, you still need to understand the > SQL layer underneath to really optimize your application. > > I haven't used the open source php ORM solutions (Propel, CakePHP, > etc) -- but I hear there are ways to configure/tune them to get > better optimized sql under-the-covers. That would be a > presentation I'd like to see. Anyone have experience with this? > > -Rob > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php From danielc at analysisandsolutions.com Wed Sep 12 17:44:34 2007 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Wed, 12 Sep 2007 17:44:34 -0400 Subject: [nycphp-talk] AJAX and State In-Reply-To: <46E138C2.3040307@metalab.unc.edu> References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu> <46E12D4A.2010204@secdat.com> <46E12F93.4040700@metalab.unc.edu> <46E132B0.9010400@secdat.com> <46E138C2.3040307@metalab.unc.edu> Message-ID: <20070912214433.GA11305@panix.com> On Fri, Sep 07, 2007 at 07:40:50AM -0400, Elliotte Harold wrote: > > Nonetheless, the username and password should be transmitted with each > request (in the HTTP header, not the URL) Are you saying the web browser should send the user name and password to the HTTP server on each request? That's a lousy idea. > so that it doesn't matter > whether I've switched browsers, rebooted my machine, or told my office > manager to login under my name on her PC. How. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From lists at enobrev.com Wed Sep 12 23:18:26 2007 From: lists at enobrev.com (Mark Armendariz) Date: Wed, 12 Sep 2007 23:18:26 -0400 Subject: [nycphp-talk] Books & magazines In-Reply-To: <46E2D692.8020703@beezifies.com> References: <46E2D692.8020703@beezifies.com> Message-ID: <46E8AC02.1020100@enobrev.com> Gary Mort wrote: > Just wondering what books and magazines people here particularly like > for PHP programming. Which are good for learning, and which are good > for reference. I'm a Huge fan of Code Complete by Steve McConnell, which is an incredible gathering of best practices for programming in general (regardless of language). I tend to resort to Jeffrey Friedl's Mastering Regular Expressions quite often as well. I used to receive both PHP|Architect and PHP Magazine - both were very informative. Otherwise, anything by Charles Bukowski or Hunter S. Thompson. Mark From ajai at bitblit.net Thu Sep 13 10:50:24 2007 From: ajai at bitblit.net (Ajai Khattri) Date: Thu, 13 Sep 2007 10:50:24 -0400 (EDT) Subject: [nycphp-talk] ORM anyone? In-Reply-To: <46E7CD6D.6060006@secdat.com> Message-ID: On Wed, 12 Sep 2007, Kenneth Downs wrote: > ... We accept the obligation > to learn HTML, CSS and Javascript, and even a few things about HTTP > headers and so forth, but we think it is optional to learn SQL and to > treat the database as what it is. That really puzzles me. The only > explanation I can come up with is people must be using really simple > databases so that the inefficiencies at large table counts just never > show up. OR I think what you're saying here kind of proves my point. HTML and CSS are easy to learn no matter if you're a programmer or not. And in the OOP world, JavaScript, Ruby, Python, C++, Java are all similar enough that most programmers will find the learning curve fairly shallow. Learning about database design, normalization and SQL is outside of both of those worlds. Im not saying this is right or wrong, or that everything must be done with an ORM layer always, but you can see where the friction gets introduced. This is why, for example, migrations exist in Ruby on Rails. -- Aj. From david at davidmintz.org Thu Sep 13 16:26:46 2007 From: david at davidmintz.org (David Mintz) Date: Thu, 13 Sep 2007 16:26:46 -0400 Subject: [nycphp-talk] hats off to Matthew Message-ID: <721f1cc50709131326o568a62e4r11dfc852f904e6c1@mail.gmail.com> Kudos to Matthew Weier O'Phinney for traveling to New York City yesterday and giving a fine presentation on ZF for nyphp.org in the back room of a loud bar where the screen was too far away for the audience to read the text. You made it look easy. Thanks also for answering question and question after question on *@lists.zend.com lists as well as in noisy downtown New York bars. (-: David -- David Mintz http://davidmintz.org/ The subtle source is clear and bright The tributary streams flow through the darkness -------------- next part -------------- An HTML attachment was scrubbed... URL: From danielc at analysisandsolutions.com Thu Sep 13 18:15:07 2007 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Thu, 13 Sep 2007 18:15:07 -0400 Subject: [nycphp-talk] php authentication form In-Reply-To: References: Message-ID: <20070913221507.GA793@panix.com> On Fri, Sep 07, 2007 at 10:54:23AM -0300, Henry Ponce wrote: > > I have a form that currently checks if the username and password are correct > in mysql database. I need to know if it's possible to check this information > on apache server, using maybe $_SERVER['PHP_AUTH_USER'] and > $_SERVER['PHP_AUTH_PW']. A bit late, perhaps you already figured this out... If you're using HTTP Basic authentication, yes. I'm not sure you really want to do this. The data gets cached in the browser. Are you doing this via a TLS/SSL/https connection? Otherwise your username/passwords are available to snoopers, etc. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From cliff at pinestream.com Thu Sep 13 18:27:51 2007 From: cliff at pinestream.com (Cliff Hirsch) Date: Thu, 13 Sep 2007 18:27:51 -0400 Subject: [nycphp-talk] Class name conflict with Pear Pager Message-ID: Shana Tovah: I have a class called Pager. Bad name. This conflicts with Pear Pager. It is used in a zilion places so changing the name would be a pain. Not a big deal, but a pain. To date, I have just been deleting or renaming the Pear Pager class, but every time I ?refresh? PHP, the problem crops up again. Any global suggestions on how to address class name conflicts with Pear? Cliff -------------- next part -------------- An HTML attachment was scrubbed... URL: From rolan at omnistep.com Thu Sep 13 18:40:52 2007 From: rolan at omnistep.com (Rolan Yang) Date: Thu, 13 Sep 2007 18:40:52 -0400 Subject: [nycphp-talk] Class name conflict with Pear Pager In-Reply-To: References: Message-ID: <46E9BC74.8000209@omnistep.com> Cliff Hirsch wrote: > Shana Tovah: > > I have a class called Pager. Bad name. This conflicts with Pear Pager. > It is used in a zilion places so changing the name would be a pain. > Not a big deal, but a pain. To date, I have just been deleting or > renaming the Pear Pager class, but every time I ?refresh? PHP, the > problem crops up again. Any global suggestions on how to address class > name conflicts with Pear? > > Cliff If the summation of your "refresh" pains exceed the one-time pain in changing the name, try a perl global search and replace. See the "perl -pi -e" examples at the bottom of http://www.oreilly.com/pub/h/73 ~Rolan From rolan at omnistep.com Thu Sep 13 18:46:07 2007 From: rolan at omnistep.com (Rolan Yang) Date: Thu, 13 Sep 2007 18:46:07 -0400 Subject: [nycphp-talk] Class name conflict with Pear Pager In-Reply-To: <46E9BC74.8000209@omnistep.com> References: <46E9BC74.8000209@omnistep.com> Message-ID: <46E9BDAF.8090501@omnistep.com> Rolan Yang wrote: > Cliff Hirsch wrote: >> Shana Tovah: >> >> I have a class called Pager. Bad name. This conflicts with Pear >> Pager. It is used in a zilion places so changing the name would be a >> pain. Not a big deal, but a pain. To date, I have just been deleting >> or renaming the Pear Pager class, but every time I ?refresh? PHP, the >> problem crops up again. Any global suggestions on how to address >> class name conflicts with Pear? >> >> Cliff > > If the summation of your "refresh" pains exceed the one-time pain in > changing the name, try a perl global search and replace. > See the "perl -pi -e" examples at the bottom of > http://www.oreilly.com/pub/h/73 > > ~Rolan > That was a bit confusing in english. Perhaps this code snippet will clarify things a bit: if (array_sum($refreshPains) > $searchAndReplacePain) { readfile('http://www.oreilly.com/pub/h/73'); } From danielc at analysisandsolutions.com Thu Sep 13 21:04:56 2007 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Thu, 13 Sep 2007 21:04:56 -0400 Subject: [nycphp-talk] Class name conflict with Pear Pager In-Reply-To: References: Message-ID: <20070914010456.GA14287@panix.com> On Thu, Sep 13, 2007 at 06:27:51PM -0400, Cliff Hirsch wrote: > Shana Tovah: > > I have a class called Pager. Bad name. This conflicts with Pear Pager. It is > used in a zilion places so changing the name would be a pain. Not a big > deal, but a pain. To date, I have just been deleting or renaming the Pear > Pager class, That's crazy. Rename your class and be done with it. It's such an easy fix. One way: * Either use grep or your favorite text editor to open all files that refer to either Pager class. For example, using cygwin on windows: grep -rlE 'new Pager|new YourFakePearPagerName' . | xargs -i ep {} & (replacing ep at the end with the name of your editor) * Search and replace in all files YourFakePearPagerName with XXXTempPgrName * Search and replace in all files Pager with NewNameForYourPagerClass * Finally search and replace XXXTempPgrName with Pager. * Save all files. It took me longer to write this email than it would have taken to solve the problem once and for all. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From ken at secdat.com Fri Sep 14 07:19:38 2007 From: ken at secdat.com (Kenneth Downs) Date: Fri, 14 Sep 2007 07:19:38 -0400 Subject: [nycphp-talk] ORM anyone? In-Reply-To: References: Message-ID: <46EA6E4A.9050504@secdat.com> Ajai Khattri wrote: > On Wed, 12 Sep 2007, Kenneth Downs wrote: > > >> ... We accept the obligation >> to learn HTML, CSS and Javascript, and even a few things about HTTP >> headers and so forth, but we think it is optional to learn SQL and to >> treat the database as what it is. That really puzzles me. The only >> explanation I can come up with is people must be using really simple >> databases so that the inefficiencies at large table counts just never >> show up. >> > > OR > > I think what you're saying here kind of proves my point. HTML and CSS are > easy to learn no matter if you're a programmer or not. And in the OOP > world, JavaScript, Ruby, Python, C++, Java are all similar enough that > most programmers will find the learning curve fairly shallow. Learning > about database design, normalization and SQL is outside of both of those > worlds. > It seems we are saying the same thing on a crucial point: SQL/RDBMS is not OOP. It comes down to our different responses to that reality. Your response is, if I may characterize it, /to cast the unknown in terms of the known./ The goal of all ORM projects is to make tables look like objects so they can be manipulated in known terms. This seems to make great sense and to be wise. I used to do this myself and thought it was a great idea. I have since found that it is counter-productive, at least for me and the programmers I've worked with. I have found a far more productive approach to be to /use each tool as it works best./ With this approach I would not treat a table as an object because a table is not an object, or a class or an interface! I think that is where we differ. > Im not saying this is right or wrong, or that everything must be done > with an ORM layer always, but you can see where the friction gets > introduced. This is why, for example, migrations exist in Ruby on Rails. > Agreed insofar as there is much personal preference involved in these decisions. -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 -------------- next part -------------- An HTML attachment was scrubbed... URL: From paulcheung at tiscali.co.uk Fri Sep 14 09:09:30 2007 From: paulcheung at tiscali.co.uk (PaulCheung) Date: Fri, 14 Sep 2007 14:09:30 +0100 Subject: [nycphp-talk] Emailing from a PHP script Message-ID: <004201c7f6d0$7cc0f780$0200a8c0@X9183> Can anybody see what I am doing wrong?? I have set php.ini (as per the manual) to my email settings ====================================== [mail function] ; For Win32 only. SMTP = smtp.tiscali.co.uk smtp_port = 25 ; For Win32 only. sendmail_from = paulcheung at tiscali.co.uk ======================================================== I run the script and the following message appears Warning: mail() [function.mail]: Failed to connect to mailserver at "localhost" port 25, verify your "SMTP" and "smtp_port" setting in php.ini or use ini_set() in C:\xampp\htdocs\tp_access.php on line 61 ======================================================== script line 61 mail(to, subject, message, "From: paulcheung at tiscali.co.uk"); Following the textbook example it should work - why am I directed to localhost?? From nikola.mitic at gmail.com Fri Sep 14 09:27:08 2007 From: nikola.mitic at gmail.com (Nikola Mitic) Date: Fri, 14 Sep 2007 15:27:08 +0200 Subject: [nycphp-talk] Emailing from a PHP script In-Reply-To: <004201c7f6d0$7cc0f780$0200a8c0@X9183> References: <004201c7f6d0$7cc0f780$0200a8c0@X9183> Message-ID: <6b1dc5090709140627td55d1dg76d7472abdc1992a@mail.gmail.com> It looks OK. Can you check that you changed php.ini file that your server is using? you can see that with Best, Nikola Mitic http://www.twospots.com On 9/14/07, PaulCheung wrote: > > Can anybody see what I am doing wrong?? > > I have set php.ini (as per the manual) to my email settings > ====================================== > [mail function] > ; For Win32 only. > SMTP = smtp.tiscali.co.uk > smtp_port = 25 > > ; For Win32 only. > sendmail_from = paulcheung at tiscali.co.uk > ======================================================== > I run the script and the following message appears > > Warning: mail() [function.mail]: Failed to connect to mailserver at > "localhost" port 25, verify your "SMTP" and "smtp_port" setting in php.ini > or use ini_set() in C:\xampp\htdocs\tp_access.php on line 61 > ======================================================== > script line 61 mail(to, subject, message, "From: > paulcheung at tiscali.co.uk"); > > Following the textbook example it should work - why am I directed to > localhost?? > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kenrbnsn at rbnsn.com Fri Sep 14 09:32:07 2007 From: kenrbnsn at rbnsn.com (Ken Robinson) Date: Fri, 14 Sep 2007 09:32:07 -0400 Subject: [nycphp-talk] Emailing from a PHP script In-Reply-To: <004201c7f6d0$7cc0f780$0200a8c0@X9183> References: <004201c7f6d0$7cc0f780$0200a8c0@X9183> Message-ID: At 09:09 AM 9/14/2007, PaulCheung wrote: >Can anybody see what I am doing wrong?? > >I have set php.ini (as per the manual) to my email settings >====================================== >[mail function] >; For Win32 only. >SMTP = smtp.tiscali.co.uk >smtp_port = 25 > >; For Win32 only. >sendmail_from = paulcheung at tiscali.co.uk >======================================================== >I run the script and the following message appears Did you restart your web server (Apache?) after making the changes to the PHP.INI file? This has to be done for the changes to take affect. Ken From paulcheung at tiscali.co.uk Fri Sep 14 09:42:36 2007 From: paulcheung at tiscali.co.uk (PaulCheung) Date: Fri, 14 Sep 2007 14:42:36 +0100 Subject: [nycphp-talk] Emailing from a PHP script References: <004201c7f6d0$7cc0f780$0200a8c0@X9183> <46E9B582004E7A82@mail-8-uk.mail.tiscali.sys> (added by postmaster@mail-8.uk.tiscali.com) Message-ID: <001001c7f6d5$1cb4daf0$0200a8c0@X9183> Yes I did that and the direction to localhost disappeared and I got the following message Warning: mail() [function.mail]: "sendmail_from" not set in php.ini or custom "From:" header missing in C:\xampp\htdocs\tp_access.php on line 61 ----- Original Message ----- From: "Ken Robinson" To: "NYPHP Talk" Sent: Friday, September 14, 2007 2:32 PM Subject: Re: [nycphp-talk] Emailing from a PHP script > At 09:09 AM 9/14/2007, PaulCheung wrote: >>Can anybody see what I am doing wrong?? >> >>I have set php.ini (as per the manual) to my email settings >>====================================== >>[mail function] >>; For Win32 only. >>SMTP = smtp.tiscali.co.uk >>smtp_port = 25 >> >>; For Win32 only. >>sendmail_from = paulcheung at tiscali.co.uk >>======================================================== >>I run the script and the following message appears > > Did you restart your web server (Apache?) after making the changes to the > PHP.INI file? This has to be done for the changes to take affect. > > Ken > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php From cliff at pinestream.com Fri Sep 14 10:09:24 2007 From: cliff at pinestream.com (Cliff Hirsch) Date: Fri, 14 Sep 2007 10:09:24 -0400 Subject: [nycphp-talk] Class name conflict with Pear Pager In-Reply-To: <20070914010456.GA14287@panix.com> Message-ID: On 9/13/07 9:04 PM, "Daniel Convissor" wrote: > On Thu, Sep 13, 2007 at 06:27:51PM -0400, Cliff Hirsch wrote: >> I have a class called Pager. Bad name. This conflicts with Pear Pager. It is >> used in a zilion places so changing the name would be a pain. Not a big >> deal, but a pain. To date, I have just been deleting or renaming the Pear >> Pager class, readfile('http://www.oreilly.com/pub/h/73'); > * Either use grep or your favorite text editor to open all files that > refer to either Pager class. For example, using cygwin on windows: Thanks Dan and Rolan: Sounds like I just need to stop being lazy and fix it once and for all. Cliff From jsia18 at yahoo.com Fri Sep 14 10:24:41 2007 From: jsia18 at yahoo.com (Jason Sia) Date: Fri, 14 Sep 2007 07:24:41 -0700 (PDT) Subject: [nycphp-talk] Emailing from a PHP script Message-ID: <52054.93970.qm@web37901.mail.mud.yahoo.com> you are just using XAMPP for windows right? ----- Original Message ---- From: Ken Robinson To: NYPHP Talk Sent: Friday, September 14, 2007 9:32:07 PM Subject: Re: [nycphp-talk] Emailing from a PHP script At 09:09 AM 9/14/2007, PaulCheung wrote: >Can anybody see what I am doing wrong?? > >I have set php.ini (as per the manual) to my email settings >====================================== >[mail function] >; For Win32 only. >SMTP = smtp.tiscali.co.uk >smtp_port = 25 > >; For Win32 only. >sendmail_from = paulcheung at tiscali.co.uk >======================================================== >I run the script and the following message appears Did you restart your web server (Apache?) after making the changes to the PHP.INI file? This has to be done for the changes to take affect. Ken _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php Send instant messages to your online friends http://uk.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From paulcheung at tiscali.co.uk Fri Sep 14 10:37:11 2007 From: paulcheung at tiscali.co.uk (PaulCheung) Date: Fri, 14 Sep 2007 15:37:11 +0100 Subject: [nycphp-talk] Emailing from a PHP script References: <52054.93970.qm@web37901.mail.mud.yahoo.com> Message-ID: <001a01c7f6dc$bda98530$0200a8c0@X9183> Yes, that is correct. Has this anything to do with my problem? ----- Original Message ----- From: Jason Sia To: NYPHP Talk Sent: Friday, September 14, 2007 3:24 PM Subject: Re: [nycphp-talk] Emailing from a PHP script you are just using XAMPP for windows right? ----- Original Message ---- From: Ken Robinson To: NYPHP Talk Sent: Friday, September 14, 2007 9:32:07 PM Subject: Re: [nycphp-talk] Emailing from a PHP script At 09:09 AM 9/14/2007, PaulCheung wrote: >Can anybody see what I am doing wrong?? > >I have set php.ini (as per the manual) to my email settings >====================================== >[mail function] >; For Win32 only. >SMTP = smtp.tiscali.co.uk >smtp_port = 25 > >; For Win32 only. >sendmail_from = paulcheung at tiscali.co.uk >======================================================== >I run the script and the following message appears Did you restart your web server (Apache?) after making the changes to the PHP.INI file? This has to be done for the changes to take affect. Ken _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php Send instant messages to your online friends http://uk.messenger.yahoo.com ------------------------------------------------------------------------------ _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsia18 at yahoo.com Fri Sep 14 11:00:23 2007 From: jsia18 at yahoo.com (Jason Sia) Date: Fri, 14 Sep 2007 08:00:23 -0700 (PDT) Subject: [nycphp-talk] Emailing from a PHP script Message-ID: <206328.34768.qm@web37906.mail.mud.yahoo.com> ok that will not really work you should use SMTP=localhost then download QK SMTP Server to make this work. ----- Original Message ---- From: PaulCheung To: NYPHP Talk Sent: Friday, September 14, 2007 10:37:11 PM Subject: Re: [nycphp-talk] Emailing from a PHP script DIV { MARGIN:0px;} Yes, that is correct. Has this anything to do with my problem? ----- Original Message ----- From: Jason Sia To: NYPHP Talk Sent: Friday, September 14, 2007 3:24 PM Subject: Re: [nycphp-talk] Emailing from a PHP script you are just using XAMPP for windows right? ----- Original Message ---- From: Ken Robinson To: NYPHP Talk Sent: Friday, September 14, 2007 9:32:07 PM Subject: Re: [nycphp-talk] Emailing from a PHP script At 09:09 AM 9/14/2007, PaulCheung wrote: >Can anybody see what I am doing wrong?? > >I have set php.ini (as per the manual) to my email settings >====================================== >[mail function] >; For Win32 only. >SMTP = smtp.tiscali.co.uk >smtp_port = 25 > >; For Win32 only. >sendmail_from = paulcheung at tiscali.co.uk >======================================================== >I run the script and the following message appears Did you restart your web server (Apache?) after making the changes to the PHP.INI file? This has to be done for the changes to take affect. Ken _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php Send instant messages to your online friends http://uk.messenger.yahoo.com _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php Send instant messages to your online friends http://uk.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From paulcheung at tiscali.co.uk Fri Sep 14 11:34:56 2007 From: paulcheung at tiscali.co.uk (PaulCheung) Date: Fri, 14 Sep 2007 16:34:56 +0100 Subject: [nycphp-talk] Emailing from a PHP script References: <206328.34768.qm@web37906.mail.mud.yahoo.com> Message-ID: <001201c7f6e4$cdf04340$0200a8c0@X9183> Thanks for the solution. I've tried it and it did not work for me changed php.ini to reflect change rebooted my system. Don't really understand why it is necessary to download QK SMTP Has all my problems been something to do with XAMPP under windows?? Paul ----- Original Message ----- From: Jason Sia To: NYPHP Talk Sent: Friday, September 14, 2007 4:00 PM Subject: Re: [nycphp-talk] Emailing from a PHP script ok that will not really work you should use SMTP=localhost then download QK SMTP Server to make this work. ----- Original Message ---- From: PaulCheung To: NYPHP Talk Sent: Friday, September 14, 2007 10:37:11 PM Subject: Re: [nycphp-talk] Emailing from a PHP script Yes, that is correct. Has this anything to do with my problem? ----- Original Message ----- From: Jason Sia To: NYPHP Talk Sent: Friday, September 14, 2007 3:24 PM Subject: Re: [nycphp-talk] Emailing from a PHP script you are just using XAMPP for windows right? ----- Original Message ---- From: Ken Robinson To: NYPHP Talk Sent: Friday, September 14, 2007 9:32:07 PM Subject: Re: [nycphp-talk] Emailing from a PHP script At 09:09 AM 9/14/2007, PaulCheung wrote: >Can anybody see what I am doing wrong?? > >I have set php.ini (as per the manual) to my email settings >====================================== >[mail function] >; For Win32 only. >SMTP = smtp.tiscali.co.uk >smtp_port = 25 > >; For Win32 only. >sendmail_from = paulcheung at tiscali.co.uk >======================================================== >I run the script and the following message appears Did you restart your web server (Apache?) after making the changes to the PHP.INI file? This has to be done for the changes to take affect. Ken _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php Send instant messages to your online friends http://uk.messenger.yahoo.com _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php Send instant messages to your online friends http://uk.messenger.yahoo.com ------------------------------------------------------------------------------ _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsia18 at yahoo.com Fri Sep 14 11:36:56 2007 From: jsia18 at yahoo.com (Jason Sia) Date: Fri, 14 Sep 2007 08:36:56 -0700 (PDT) Subject: [nycphp-talk] Emailing from a PHP script Message-ID: <831989.10288.qm@web37902.mail.mud.yahoo.com> In order to send a mail you need SMTP QK SMTP acts as your SMTP server I use it for with WAMP instead of XAMPP. ----- Original Message ---- From: PaulCheung To: NYPHP Talk Sent: Friday, September 14, 2007 11:34:56 PM Subject: Re: [nycphp-talk] Emailing from a PHP script DIV { MARGIN:0px;} Thanks for the solution. I've tried it and it did not work for me changed php.ini to reflect change rebooted my system. Don't really understand why it is necessary to download QK SMTP Has all my problems been something to do with XAMPP under windows?? Paul ----- Original Message ----- From: Jason Sia To: NYPHP Talk Sent: Friday, September 14, 2007 4:00 PM Subject: Re: [nycphp-talk] Emailing from a PHP script ok that will not really work you should use SMTP=localhost then download QK SMTP Server to make this work. ----- Original Message ---- From: PaulCheung To: NYPHP Talk Sent: Friday, September 14, 2007 10:37:11 PM Subject: Re: [nycphp-talk] Emailing from a PHP script DIV { MARGIN:0px;} Yes, that is correct. Has this anything to do with my problem? ----- Original Message ----- From: Jason Sia To: NYPHP Talk Sent: Friday, September 14, 2007 3:24 PM Subject: Re: [nycphp-talk] Emailing from a PHP script you are just using XAMPP for windows right? ----- Original Message ---- From: Ken Robinson To: NYPHP Talk Sent: Friday, September 14, 2007 9:32:07 PM Subject: Re: [nycphp-talk] Emailing from a PHP script At 09:09 AM 9/14/2007, PaulCheung wrote: >Can anybody see what I am doing wrong?? > >I have set php.ini (as per the manual) to my email settings >====================================== >[mail function] >; For Win32 only. >SMTP = smtp.tiscali.co.uk >smtp_port = 25 > >; For Win32 only. >sendmail_from = paulcheung at tiscali.co.uk >======================================================== >I run the script and the following message appears Did you restart your web server (Apache?) after making the changes to the PHP.INI file? This has to be done for the changes to take affect. Ken _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php Send instant messages to your online friends http://uk.messenger.yahoo.com _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php Send instant messages to your online friends http://uk.messenger.yahoo.com _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php Send instant messages to your online friends http://uk.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jonbaer at jonbaer.com Fri Sep 14 13:51:41 2007 From: jonbaer at jonbaer.com (Jon Baer) Date: Fri, 14 Sep 2007 13:51:41 -0400 Subject: [nycphp-talk] Emailing from a PHP script In-Reply-To: <001201c7f6e4$cdf04340$0200a8c0@X9183> References: <206328.34768.qm@web37906.mail.mud.yahoo.com> <001201c7f6e4$cdf04340$0200a8c0@X9183> Message-ID: What does the register_globals and safe_mode settings your .ini file say? - Jon On Sep 14, 2007, at 11:34 AM, PaulCheung wrote: > Thanks for the solution. I've tried it and it did not work for me > changed php.ini to reflect change rebooted my system. Don't really > understand why it is necessary to download QK SMTP > Has all my problems been something to do with XAMPP under windows?? > > Paul From ajai at bitblit.net Fri Sep 14 13:57:14 2007 From: ajai at bitblit.net (Ajai Khattri) Date: Fri, 14 Sep 2007 13:57:14 -0400 (EDT) Subject: [nycphp-talk] Emailing from a PHP script In-Reply-To: <001201c7f6e4$cdf04340$0200a8c0@X9183> Message-ID: On Fri, 14 Sep 2007, PaulCheung wrote: > Thanks for the solution. I've tried it and it did not work for me > changed php.ini to reflect change rebooted my system. Don't really understand why it is necessary to download QK SMTP > Has all my problems been something to do with XAMPP under windows?? Do you know how SMTP works? If you are trying to send through localhost, then PHP expects to be able to connect to port 25 on localhost and talk SMTP to it to send the email. If you are using your ISPs mail server to send the email, then I would test from the command-line by telnetting to port 25 if your ISPs mail server and trying to send an email via SMTP. If you can't connect to port 25 then I would check for things like firewall settings or whatever "security" suite you have running. -- Aj. From jsia18 at yahoo.com Fri Sep 14 20:24:26 2007 From: jsia18 at yahoo.com (Jason Sia) Date: Fri, 14 Sep 2007 17:24:26 -0700 (PDT) Subject: [nycphp-talk] Emailing from a PHP script Message-ID: <294758.26813.qm@web37907.mail.mud.yahoo.com> Based on experience, a lot of ISPs are blocking external access to their SMTPs. However, you could also try using your ISPs SMTP ----- Original Message ---- From: Ajai Khattri To: NYPHP Talk Sent: Saturday, September 15, 2007 1:57:14 AM Subject: Re: [nycphp-talk] Emailing from a PHP script On Fri, 14 Sep 2007, PaulCheung wrote: > Thanks for the solution. I've tried it and it did not work for me > changed php.ini to reflect change rebooted my system. Don't really understand why it is necessary to download QK SMTP > Has all my problems been something to do with XAMPP under windows?? Do you know how SMTP works? If you are trying to send through localhost, then PHP expects to be able to connect to port 25 on localhost and talk SMTP to it to send the email. If you are using your ISPs mail server to send the email, then I would test from the command-line by telnetting to port 25 if your ISPs mail server and trying to send an email via SMTP. If you can't connect to port 25 then I would check for things like firewall settings or whatever "security" suite you have running. -- Aj. _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php Send instant messages to your online friends http://uk.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From christinak at wll.com Sat Sep 15 11:41:57 2007 From: christinak at wll.com (Christina Karlhoff) Date: Sat, 15 Sep 2007 11:41:57 -0400 Subject: [nycphp-talk] PHP script needs some filter help Message-ID: HI all, I will preface with this: I am not very experienced with php scripting. I do know a bit of asp [classic], and have some skills in writing a web app (done uisng asp classic and a little jscript). The situation: Our company's website host server only processes scripts in php, python, cld fusion [not in asp - go figure]. Our website has three seperate user information request forms on it; all were posted using a php mail script. One day, all of a sudden, we get 20-30 bogus forms mail to us per day. Annoying and alarming. So i went searching for some way to control it. I managed to insert a php script with captcha into each. but, we are still getting bogus forms sent to us. Not as many, but still annoying and no fun...email header injections i take it? So, i tried to follow along and use some php includes that i found posted on nyphp.org. After addiing some of the code and quite a few iterations, I'd keep getting these parsing errors, and could never get it to work. Can any of you help me out? Let me know....i don't know if i can attach the script i have and send it to you all or not....let me know that too. I would greatly appreciate it if anyone would be willing to have a quick look-see at my script and assist me in getting some php filtering into place. I'd also have the privelage to get some real php understanding under my belt. Thanks so much! Christina~ -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Glacier Bkgrd.jpg Type: image/jpeg Size: 2743 bytes Desc: Glacier Bkgrd.jpg URL: From paul at devonianfarm.com Sat Sep 15 12:50:05 2007 From: paul at devonianfarm.com (Paul Houle) Date: Sat, 15 Sep 2007 12:50:05 -0400 Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown In-Reply-To: <46EA6E4A.9050504@secdat.com> References: <46EA6E4A.9050504@secdat.com> Message-ID: <46EC0D3D.3040600@devonianfarm.com> I think of ORM as a partial solution to the problems of building database-backed web apps. People call database applications "CRUD" apps, short for Create Recall Update Delete ORM is good for Create, and for many cases of Update and Delete. It can be used to do Recall, but can be disastrously slow for generating many kinds of reports. Just the other day I was working with a Java Servlet-based webapp. I entered a text string with a single quote, which caused an error. The cause was code that would have looked like this in PHP: $conn->Execute("INSERT INTO users (first_name,last_name,organization) VALUES ('$first_name','$last_name','$organization'"); This would have been OK if they'd written something like $first_name=addslashes($_POST["first_name"]); $last_name=addslashes($_POST["last_name"]); $organization=addslashes($_POST["organization"]); But they didn't. Neither do most developers. Now, there are tools that help with this: for instance, some database API's will automatically quote things if you use placeholders. This style of doing things has it's own problems: let's say the user table has a lot of fields... $conn->Execute(" INSERT INTO users (first_name,last_name,organization,address1, ... 20 more fields ..., birthday, favorite_color) VALUES (?,?,?,?,... 20 more question marks ...,?,?) ",array($first_name,$last_name,$organization,$address1,... 20 more fields...,$favorite_color,$birthday); Notice the error? I didn't get the order of the fields quite right , so the 'birthday' and 'favorite color' fields will get scrambled. Imagine how hard it would have been to have noticed the error in the middle of the field list! I recently caught this one in a Cold Fusion application -- this kind of code gets hard to maintain. Enter ORM. Syntax varies, but this kind of insert is simple and maintainable with an ORM system: $t=$db->users; $r=$t->new_record(); $r->first_name=$_POST["first_name"]; $r->last_name=$_POST["last_name"]; $r->organization=$_POST["organization"]; ... $r->insert(); $user_id=$r->user_id; The ORM system takes care of quotes and bad data for you. You're not likely to introduce bugs when you add and remove fields, and they'll be transparent if you do. If you want to make life really easy, you might write a subroutine that uses the ORM's introspection capability, so you can just write populate_from_post($r,$_POST); that scans through the database fields, and automatically assigns post variables down to fields. Talk about zero maintainance! ------- ORM and other SQL-phobic approaches can also get you into big trouble. I once inherited a PHP app, using MS SQL server as the back end that had an administrative interface that listed all of the users in the system. It worked just fine in testing, but got REALLY slow when a few hundred users joined the system... It could take more than 100 seconds to produce the screen! The problem was that the system did between 10 and 20 queries to produce each output row. It first did a query that retrieved a few hundred rows, and then it did more queries to get all the details. Doing 5000 queries took a really long time. We changed the application to use prepared statements and found that the query took 10 seconds. This was acceptable, but still pretty bad. Although this system didn't use an ORM, the general approach was that encouraged by most ORM systems -- I don't think any ORM system would have been smart enough to consolidate the multiple queries into a smaller number, because the individual-row queries were implementing quite complicated business rules that involved counting rows with certain attributes, preparing thresholds, etc. An ORM system might or might not be smart enough to generate prepared statements. The difference between a 'smart' and 'dumb' ORM would be a factor of 10 in performance in this case. Later on I wrote a 'pure SQL' query that calculated everything in one complex query. It used a number of subselects... I thought it was pretty straightforward, but many people aren't comfortable with queries that are this complex. It did the job in 0.1 seconds!! That's a factor of 100x better than I got from running separate statements. ----------------------- Similar issues turn up with UPDATEs and DELETEs. ORM is quite efficient if you only want to update one or two records at a time, but imagine you want to update 100,000 rows. (Turning off service for people who didn't pay their bills, reset scores in an online game to zero, ...) It can be thousands of times faster to do something like: UPDATE user SET score=0; than to write some loop that runs hundreds of thousands of queries. Once you add in the issues of concurrency and transactions, the 'pure SQL' solution looks a lot better -- it's automatically protected by the transactional integrity of the database. Probably 80% of people working with an ORM system will forget to put the whole thing in a transaction: so it won't be reliable. The 20% of the people who do put it in a transaction will hold locks on the database for hundreds or thousands of times longer than they need to... Which slows down the site for everybody else. -------------------------- The gold standard is use an ORM system that's tightly integrated with your framework when it's appropriate: when you're manipulating a few rows at a time. You'll get big gains in maintainability. When you're updating 1000+ rows or generating complex reports, you need different tools. I've built a few systems that integrate data grid display on the client with a prebuilt set of data fields that can be incorporated into the query, using subselects to 'join' data from other tables -- this gets the silver... The gold medal would go to a system that uses the database metadata from an ORM system to help you build queries. Hook this up to an AJAX data grid, say the one from ext, and you've got a rails killer... From ben at projectskyline.com Sat Sep 15 12:31:40 2007 From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine)) Date: Sat, 15 Sep 2007 12:31:40 -0400 Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown References: <46EA6E4A.9050504@secdat.com> <46EC0D3D.3040600@devonianfarm.com> Message-ID: <00c501c7f7b5$e5598920$6401a8c0@gamebox> Hello, INSERT INTO users (first_name,last_name,organization,address1, ... 20 more fields ..., birthday, favorite_color) VALUES (?,?,?,?,... 20 more question marks ...,?,?) ",array($first_name,$last_name,$organization,$address1,... 20 more fields...,$favorite_color,$birthday); Why not just do: SET ... first_name = $firstname, last_name = $lastname, ... Which is *basically* the same as what your saying ORM is useful for in this case... - Ben ----- Original Message ----- From: "Paul Houle" To: "NYPHP Talk" Sent: Saturday, September 15, 2007 12:50 PM Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown > I think of ORM as a partial solution to the problems of building > database-backed web apps. People call database applications "CRUD" apps, > short for > > Create > Recall > Update > Delete > > ORM is good for Create, and for many cases of Update and Delete. It > can be used to do Recall, but can be disastrously slow for generating > many kinds of reports. > > Just the other day I was working with a Java Servlet-based webapp. I > entered a text string with a single quote, which caused an error. The > cause was code that would have looked like this in PHP: > > $conn->Execute("INSERT INTO users (first_name,last_name,organization) > VALUES ('$first_name','$last_name','$organization'"); > > This would have been OK if they'd written something like > > $first_name=addslashes($_POST["first_name"]); > $last_name=addslashes($_POST["last_name"]); > $organization=addslashes($_POST["organization"]); > > But they didn't. Neither do most developers. Now, there are tools > that help with this: for instance, some database API's will > automatically quote things if you use placeholders. This style of doing > things has it's own problems: let's say the user table has a lot of > fields... > > $conn->Execute(" > INSERT INTO users > (first_name,last_name,organization,address1, ... 20 more fields ..., > birthday, favorite_color) > VALUES > (?,?,?,?,... 20 more question marks ...,?,?) > ",array($first_name,$last_name,$organization,$address1,... 20 more > fields...,$favorite_color,$birthday); > > Notice the error? I didn't get the order of the fields quite right , > so the 'birthday' and 'favorite color' fields will get scrambled. Imagine > how hard it would have been to have noticed the error in the middle of the > field list! I recently caught this one in a Cold Fusion application -- > this kind of code gets hard to maintain. > > Enter ORM. Syntax varies, but this kind of insert is simple and > maintainable with an ORM system: > > $t=$db->users; > $r=$t->new_record(); > $r->first_name=$_POST["first_name"]; > $r->last_name=$_POST["last_name"]; > $r->organization=$_POST["organization"]; > ... > $r->insert(); > $user_id=$r->user_id; > > The ORM system takes care of quotes and bad data for you. You're not > likely to introduce bugs when you add and remove fields, and they'll be > transparent if you do. If you want to make life really easy, you might > write a subroutine that uses the ORM's introspection capability, so you > can just write > > populate_from_post($r,$_POST); > > that scans through the database fields, and automatically assigns post > variables down to fields. Talk about zero maintainance! > > ------- > > ORM and other SQL-phobic approaches can also get you into big trouble. > I once inherited a PHP app, using MS SQL server as the back end that had > an administrative interface that listed all of the users in the system. > It worked just fine in testing, but got REALLY slow when a few hundred > users joined the system... It could take more than 100 seconds to produce > the screen! > > The problem was that the system did between 10 and 20 queries to > produce each output row. It first did a query that retrieved a few > hundred rows, and then it did more queries to get all the details. Doing > 5000 queries took a really long time. > > We changed the application to use prepared statements and found that > the query took 10 seconds. This was acceptable, but still pretty bad. > > Although this system didn't use an ORM, the general approach was that > encouraged by most ORM systems -- I don't think any ORM system would have > been smart enough to consolidate the multiple queries into a smaller > number, because the individual-row queries were implementing quite > complicated business rules that involved counting rows with certain > attributes, preparing thresholds, etc. > > An ORM system might or might not be smart enough to generate prepared > statements. The difference between a 'smart' and 'dumb' ORM would be a > factor of 10 in performance in this case. > > Later on I wrote a 'pure SQL' query that calculated everything in one > complex query. It used a number of subselects... I thought it was pretty > straightforward, but many people aren't comfortable with queries that are > this complex. It did the job in 0.1 seconds!! That's a factor of 100x > better than I got from running separate statements. > > ----------------------- > > Similar issues turn up with UPDATEs and DELETEs. ORM is quite > efficient if you only want to update one or two records at a time, but > imagine you want to update 100,000 rows. (Turning off service for people > who didn't pay their bills, reset scores in an online game to zero, ...) > It can be thousands of times faster to do something like: > > UPDATE user SET score=0; > > than to write some loop that runs hundreds of thousands of queries. Once > you add in the issues of concurrency and transactions, the 'pure SQL' > solution looks a lot better -- it's automatically protected by the > transactional integrity of the database. Probably 80% of people working > with an ORM system will forget to put the whole thing in a transaction: > so it won't be reliable. The 20% of the people who do put it in a > transaction will hold locks on the database for hundreds or thousands of > times longer than they need to... Which slows down the site for everybody > else. > > -------------------------- > > The gold standard is use an ORM system that's tightly integrated with > your framework when it's appropriate: when you're manipulating a few rows > at a time. You'll get big gains in maintainability. When you're updating > 1000+ rows or generating complex reports, you need different tools. I've > built a few systems that integrate data grid display on the client with a > prebuilt set of data fields that can be incorporated into the query, > using subselects to 'join' data from other tables -- this gets the > silver... The gold medal would go to a system that uses the database > metadata from an ORM system to help you build queries. Hook this up to an > AJAX data grid, say the one from ext, and you've got a rails killer... > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php From paul at devonianfarm.com Sat Sep 15 13:14:11 2007 From: paul at devonianfarm.com (Paul Houle) Date: Sat, 15 Sep 2007 13:14:11 -0400 Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown In-Reply-To: <00c501c7f7b5$e5598920$6401a8c0@gamebox> References: <46EA6E4A.9050504@secdat.com> <46EC0D3D.3040600@devonianfarm.com> <00c501c7f7b5$e5598920$6401a8c0@gamebox> Message-ID: <46EC12E3.7050902@devonianfarm.com> Ben Sgro (ProjectSkyLine) wrote: > > > Why not just do: > > SET ... > first_name = $firstname, > last_name = $lastname, ... > > Which is *basically* the same as what your saying ORM is useful for in > this case... That's a very nice syntax. It's also mysql-specific. I love mysql, and it may be very sensible to build a mysql app that takes advantage of great features like this, but many of us need to write apps for postgreSQL, Oracle, MS SQL and other databases that don't support this (superior) syntax. Another advantage of an ORM system is that it can use database metadata to validate data much better than addslashes() can. For instance, some databases will let you get away with UPDATE TABLE SET an_integer_field='55'; Other databases (for instance, MS Access) won't, and you need to write UPDATE TABLE SET an_integer_field=55; If '55' comes from the outside, you'll want to validate that it's an integer. Do you want to write that code by hand every time? Or would you like your ORM system to automatically detect the type based on database metadata, and give you an intelligible error message like : "776krashyourdatabase is not an integer" rather than "Invalid SQL Syntax (Code 7719290)." I find that I spent entirely too much time dealing with error conditions in my code, and welcome anything that makes that work easier. From ben at projectskyline.com Sat Sep 15 12:56:23 2007 From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine)) Date: Sat, 15 Sep 2007 12:56:23 -0400 Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown References: <46EA6E4A.9050504@secdat.com> <46EC0D3D.3040600@devonianfarm.com><00c501c7f7b5$e5598920$6401a8c0@gamebox> <46EC12E3.7050902@devonianfarm.com> Message-ID: <00ec01c7f7b9$596d1540$6401a8c0@gamebox> Hello, Good point. I've only been writing code for MSSQL and MySQL, and currently only MySQL. Anything that makes our job easier seems good to me! - Ben ----- Original Message ----- From: "Paul Houle" To: "NYPHP Talk" Sent: Saturday, September 15, 2007 1:14 PM Subject: Re: [nycphp-talk] ORM vs SQL: the ultimate showdown > Ben Sgro (ProjectSkyLine) wrote: >> >> >> Why not just do: >> >> SET ... >> first_name = $firstname, >> last_name = $lastname, ... >> >> Which is *basically* the same as what your saying ORM is useful for in >> this case... > That's a very nice syntax. It's also mysql-specific. I love mysql, > and it may be very sensible to build a mysql app that takes advantage of > great features like this, but many of us need to write apps for > postgreSQL, Oracle, MS SQL and other databases that don't support this > (superior) syntax. > > Another advantage of an ORM system is that it can use database metadata > to validate data much better than addslashes() can. For instance, some > databases will let you get away with > > UPDATE TABLE SET an_integer_field='55'; > > Other databases (for instance, MS Access) won't, and you need to > write > > UPDATE TABLE SET an_integer_field=55; > > If '55' comes from the outside, you'll want to validate that it's an > integer. Do you want to write that code by hand every time? Or would you > like your ORM system to automatically detect the type based on database > metadata, and give you an intelligible error message like : > "776krashyourdatabase is not an integer" rather than "Invalid SQL Syntax > (Code 7719290)." > > I find that I spent entirely too much time dealing with error > conditions in my code, and welcome anything that makes that work easier. > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php From ken at secdat.com Sat Sep 15 13:05:36 2007 From: ken at secdat.com (Kenneth Downs) Date: Sat, 15 Sep 2007 13:05:36 -0400 Subject: What Does ORM Mean? Re: [nycphp-talk] ORM vs SQL: the ultimate showdown In-Reply-To: <00c501c7f7b5$e5598920$6401a8c0@gamebox> References: <46EA6E4A.9050504@secdat.com> <46EC0D3D.3040600@devonianfarm.com> <00c501c7f7b5$e5598920$6401a8c0@gamebox> Message-ID: <46EC10E0.3020204@secdat.com> ORM is normally meant to mean a comprehensive strategy for treating tables as objects, and to recast relational concepts in object oriented terms. The examples in the past few posts just ain't ORM, there is no showdown. The examples are necessary, clever, and intelligent examples of simple abstractions of the interface of PHP to a SQL database. They don't display ORM, so they can't be a showdown between ORM and SQL. A better title might be "Manual coding vs library routines." Ben Sgro (ProjectSkyLine) wrote: > Hello, > > INSERT INTO users > (first_name,last_name,organization,address1, ... 20 more fields > ..., birthday, favorite_color) > VALUES > (?,?,?,?,... 20 more question marks ...,?,?) > ",array($first_name,$last_name,$organization,$address1,... 20 more > fields...,$favorite_color,$birthday); > > Why not just do: > > SET ... > first_name = $firstname, > last_name = $lastname, ... > > Which is *basically* the same as what your saying ORM is useful for in > this case... > > - Ben > > ----- Original Message ----- From: "Paul Houle" > To: "NYPHP Talk" > Sent: Saturday, September 15, 2007 12:50 PM > Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown > > >> I think of ORM as a partial solution to the problems of building >> database-backed web apps. People call database applications "CRUD" >> apps, short for >> >> Create >> Recall >> Update >> Delete >> >> ORM is good for Create, and for many cases of Update and Delete. >> It can be used to do Recall, but can be disastrously slow for >> generating many kinds of reports. >> >> Just the other day I was working with a Java Servlet-based >> webapp. I entered a text string with a single quote, which caused >> an error. The cause was code that would have looked like this in PHP: >> >> $conn->Execute("INSERT INTO users (first_name,last_name,organization) >> VALUES ('$first_name','$last_name','$organization'"); >> >> This would have been OK if they'd written something like >> >> $first_name=addslashes($_POST["first_name"]); >> $last_name=addslashes($_POST["last_name"]); >> $organization=addslashes($_POST["organization"]); >> >> But they didn't. Neither do most developers. Now, there are >> tools that help with this: for instance, some database API's will >> automatically quote things if you use placeholders. This style of >> doing things has it's own problems: let's say the user table has a >> lot of fields... >> >> $conn->Execute(" >> INSERT INTO users >> (first_name,last_name,organization,address1, ... 20 more fields >> ..., birthday, favorite_color) >> VALUES >> (?,?,?,?,... 20 more question marks ...,?,?) >> ",array($first_name,$last_name,$organization,$address1,... 20 more >> fields...,$favorite_color,$birthday); >> >> Notice the error? I didn't get the order of the fields quite >> right , so the 'birthday' and 'favorite color' fields will get >> scrambled. Imagine how hard it would have been to have noticed the >> error in the middle of the field list! I recently caught this one in >> a Cold Fusion application -- this kind of code gets hard to maintain. >> >> Enter ORM. Syntax varies, but this kind of insert is simple and >> maintainable with an ORM system: >> >> $t=$db->users; >> $r=$t->new_record(); >> $r->first_name=$_POST["first_name"]; >> $r->last_name=$_POST["last_name"]; >> $r->organization=$_POST["organization"]; >> ... >> $r->insert(); >> $user_id=$r->user_id; >> >> The ORM system takes care of quotes and bad data for you. You're >> not likely to introduce bugs when you add and remove fields, and >> they'll be transparent if you do. If you want to make life really >> easy, you might write a subroutine that uses the ORM's introspection >> capability, so you can just write >> >> populate_from_post($r,$_POST); >> >> that scans through the database fields, and automatically assigns >> post variables down to fields. Talk about zero maintainance! >> >> ------- >> >> ORM and other SQL-phobic approaches can also get you into big >> trouble. I once inherited a PHP app, using MS SQL server as the back >> end that had an administrative interface that listed all of the users >> in the system. It worked just fine in testing, but got REALLY slow >> when a few hundred users joined the system... It could take more >> than 100 seconds to produce the screen! >> >> The problem was that the system did between 10 and 20 queries to >> produce each output row. It first did a query that retrieved a few >> hundred rows, and then it did more queries to get all the details. >> Doing 5000 queries took a really long time. >> >> We changed the application to use prepared statements and found >> that the query took 10 seconds. This was acceptable, but still >> pretty bad. >> >> Although this system didn't use an ORM, the general approach was >> that encouraged by most ORM systems -- I don't think any ORM system >> would have been smart enough to consolidate the multiple queries into >> a smaller number, because the individual-row queries were >> implementing quite complicated business rules that involved counting >> rows with certain attributes, preparing thresholds, etc. >> >> An ORM system might or might not be smart enough to generate >> prepared statements. The difference between a 'smart' and 'dumb' ORM >> would be a factor of 10 in performance in this case. >> >> Later on I wrote a 'pure SQL' query that calculated everything in >> one complex query. It used a number of subselects... I thought it >> was pretty straightforward, but many people aren't comfortable with >> queries that are this complex. It did the job in 0.1 seconds!! >> That's a factor of 100x better than I got from running separate >> statements. >> >> ----------------------- >> >> Similar issues turn up with UPDATEs and DELETEs. ORM is quite >> efficient if you only want to update one or two records at a time, >> but imagine you want to update 100,000 rows. (Turning off service >> for people who didn't pay their bills, reset scores in an online >> game to zero, ...) It can be thousands of times faster to do >> something like: >> >> UPDATE user SET score=0; >> >> than to write some loop that runs hundreds of thousands of queries. >> Once you add in the issues of concurrency and transactions, the >> 'pure SQL' solution looks a lot better -- it's automatically >> protected by the transactional integrity of the database. Probably >> 80% of people working with an ORM system will forget to put the whole >> thing in a transaction: so it won't be reliable. The 20% of the >> people who do put it in a transaction will hold locks on the database >> for hundreds or thousands of times longer than they need to... Which >> slows down the site for everybody else. >> >> -------------------------- >> >> The gold standard is use an ORM system that's tightly integrated >> with your framework when it's appropriate: when you're manipulating >> a few rows at a time. You'll get big gains in maintainability. When >> you're updating 1000+ rows or generating complex reports, you need >> different tools. I've built a few systems that integrate data grid >> display on the client with a prebuilt set of data fields that can be >> incorporated into the query, using subselects to 'join' data from >> other tables -- this gets the silver... The gold medal would go to a >> system that uses the database metadata from an ORM system to help you >> build queries. Hook this up to an AJAX data grid, say the one from >> ext, and you've got a rails killer... >> _______________________________________________ >> New York PHP Community Talk Mailing List >> http://lists.nyphp.org/mailman/listinfo/talk >> >> NYPHPCon 2006 Presentations Online >> http://www.nyphpcon.com >> >> Show Your Participation in New York PHP >> http://www.nyphp.org/show_participation.php > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 From ramons at gmx.net Sat Sep 15 13:48:32 2007 From: ramons at gmx.net (David Krings) Date: Sat, 15 Sep 2007 13:48:32 -0400 Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown In-Reply-To: <46EC0D3D.3040600@devonianfarm.com> References: <46EA6E4A.9050504@secdat.com> <46EC0D3D.3040600@devonianfarm.com> Message-ID: <46EC1AF0.8040803@gmx.net> Paul Houle wrote: > I think of ORM as a partial solution to the problems of building > database-backed web apps. People call database applications "CRUD" > apps, short for I have no idea what ORM is, mainly because I didn't follow the past threads, but here is my take of the problem you describe. > This would have been OK if they'd written something like > > $first_name=addslashes($_POST["first_name"]); > $last_name=addslashes($_POST["last_name"]); > $organization=addslashes($_POST["organization"]); Depending on the database used there are better means. In case of mysql using mysql_real_escape_string is the way better approach as I learned not too long ago. With addslashes you get the proper escaping, but upon retrieval you have to take the surplus slashes back out. When storing something that has slashes in the original information (windows file paths for example) how is the code supposed to know which slashes to take out? And all that although a slash won't break your SQL. > > But they didn't. Neither do most developers. Now, there are tools That is because most developers are ignorant, unqualified, or arrogant or all three in regards to users some very basic level of quality and security.* I have seen apps where the developer went through the trouble to take out anything that might be offending to SQL or the rest of the code rather than to choose proper delimiters and proper escaping. I often post opinions in a german online newspaper and they use a PHP script with MySQL. Of course, that script doesn't do any escaping and blurts out the whole SQL query upon failure. How easy will it be to drop some tables, add some, modify, add procedures....in short, that script is open to SQL injection at the first degree. I recall that I did exactly the same when I started poking around in MySQL with PHP until I read about SQL injection and that addslashes is the way to go - until I tried to store file paths in my tables and all they stopped working upon retrieval. I then opted to go the ignorant and unqualified route by not escaping file paths and thus not needing to strip slashes. Until I came across a folder name with a single quote in it. Then I learned to do it the right way. > The ORM system takes care of quotes and bad data for you. One of the lessons of professional software QA and hobbyist PHP development is "All input is evil!". I always distrust everything even when it comes from a db record that I just wrote a few seconds ago. In that sense I think it is a bit foolish to just forget about proper validation and have some system take care of it. That system is also just a bunch of lines of code. While I do see the benefits of simplifying db access and with that abstracting the db layer I still think that anything that comes in and goes out has to be fully verified to be good data. Don't expect that you get good data and don't expect that the other system will take care of bad data (from you or someone else). This concludes today's lesson. Thank you students. David *Note: There are very many honorable exceptions and I know of several who take things like security, quality, and usability into consideration - after the lack of doing so bit them hard into their behinds. From ramons at gmx.net Sat Sep 15 13:51:07 2007 From: ramons at gmx.net (David Krings) Date: Sat, 15 Sep 2007 13:51:07 -0400 Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown In-Reply-To: <46EC12E3.7050902@devonianfarm.com> References: <46EA6E4A.9050504@secdat.com> <46EC0D3D.3040600@devonianfarm.com> <00c501c7f7b5$e5598920$6401a8c0@gamebox> <46EC12E3.7050902@devonianfarm.com> Message-ID: <46EC1B8B.7050109@gmx.net> Paul Houle wrote: > Other databases (for instance, MS Access) won't, and you need to write Since when is Access a database? It is a big piece of stinkin' garbage. ;) David From ben at projectskyline.com Sat Sep 15 14:24:02 2007 From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine)) Date: Sat, 15 Sep 2007 14:24:02 -0400 Subject: [nycphp-talk] Two part question: Shopping carts & E-commerce References: <46D43B08.60009@beezifies.com><70745236-EB98-4AC3-B754-4DC2A315323E@jonbaer.com> <46D47172.1000909@beezifies.com> Message-ID: <016801c7f7c5$9820c190$6401a8c0@gamebox> Hello, After speaking with a lot of people, it seems OSCommerce and Authorize.net are a good team. However, after taking a look at CS-Cart, it does *look* nicer than OScommerce. Does anyone have experiance with both of these carts? - Ben From lists at enobrev.com Sat Sep 15 15:24:30 2007 From: lists at enobrev.com (Mark Armendariz) Date: Sat, 15 Sep 2007 15:24:30 -0400 Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown In-Reply-To: <00c501c7f7b5$e5598920$6401a8c0@gamebox> References: <46EA6E4A.9050504@secdat.com> <46EC0D3D.3040600@devonianfarm.com> <00c501c7f7b5$e5598920$6401a8c0@gamebox> Message-ID: <46EC316E.6030203@enobrev.com> I'm a huge fan of SQL, and I've been using it for over 10 years. its a solid and reliable friend. But it seems to be far too wordy and gets hairy to maintain, which is why we tend to look for ways to modularize it within our programming languages. When using SQL, we're just working with strings. mysql_query('SELECT * FROM customers') is as painful as using innerHTML in javascript. In some instances, you just have to, but it 'feels right' to use the DOM, and the DOM allows so much more power from a javascript perspective. This might seem completely ridiculous and tear the idea to shreds if you must, but I've been working on a library with it's own query language that creates both the SQL and the PHP Objects to reference everything returned. Though I've been working on it for quite some time, it's still too early (read: messy) to offer it to the masses (I'm successfully using it in 4 of my current small to medium sized projects). Over the past 10 years, every time I try to keep all my queries in one place, whether it be with SQL or with some objects representing my Database Tables, i end up with a bunch of functions named getCustomers, getCustomer($id), getCustomersInNy, getCustomersInTristate, so instead I made a language that allows something like: get customers means SELECT * FROM customers get customers 425 means SELECT * FROM customers WHERE customer_id = 425 get customer last_name d, first_name d, full_address where customer_id = 1-5 means SELECT c.first_name, c.last_name, a.address_1, a.address_2, a.city, a.province, co.country_title FROM customers c LEFT JOIN addresses a on c.customer_id = a.customer_id LEFT JOIN c.countries ON a.country_id = c.country_id WHERE customer_id = 1 OR customer_id = 2 OR customer_id = 3 OR customer_id = 4 OR customer_id = 5 ORDER BY c.last_name DESC c.first_name DESC and find mark in customers, addresses, countries means SELECT * FROM customers c LEFT JOIN addresses a on c.customer_id = a.customer_id FROM customers c LEFT JOIN addresses a on c.customer_id = a.customer_id LEFT JOIN c.countries ON a.country_id = c.country_id WHERE c.first_name LIKE '%mark%' OR c.last_name LIKE '%mark%' OR c.username LIKE '%mark%' OR a.address_1 LIKE '%mark%' OR a.address_2 LIKE '%mark%' OR a.city LIKE '%mark%' OR a.province LIKE '%mark%' OR co.country_title LIKE '%mark%' (all the string fields in all pertaining tables) All the joins are dynamically generated, and those generations are cached, so it only needs to figure out the joins once. All the queries are dynamically generated as well (obviously) and cached, but if a new field is added, the cache is cleared and all those selects are re-cached with the new fields (or removed fields removed from queries) The return can be an array of results, an iterator or an object with access to the selected tables and fields (with values set and more detailed properties for formatting and manipulation). The returned array can have the data formatted as well. I haven't done the inserts and updates language yet, but all the fields have types (url, email, USPhone, textile, textileComment, alpha, alphaWithPunctuation, Integer, DateTime etc), so all the proper filtering and escaping is done automatically as is. Even though the language doesn't have inserts and updates, I've been using the type objects for proper field handling and filtering (rather than add-slashing everything) Anyways, to me this seems to be the way to go. If we're dealing with strings anyways, we might as well keep those strings short and sweet and most importantly dynamic. It should be portable (any database or any model, really) and simple. The biggest argument I tend to hear is that restricting fields in php is silly, but I largely disagree. By filtering inputted data, we're already typing these fields, and usually incorrectly. Strict typing and a dynamic language fit together well as you are allowed the choice of either. Ideally I'd be able to get this into an extension at some point, but I'm still getting things organized. I'm currently in the process of rewriting the type classes to make the more modular / portable (if anyone has experience in the realm of creating a type system, please give me a shout off-list) Anyways, that's my take on SQL and ORM. Both - with an easily manipulated and portable meta language. Mark Armendariz From ken at secdat.com Sat Sep 15 15:45:12 2007 From: ken at secdat.com (Kenneth Downs) Date: Sat, 15 Sep 2007 15:45:12 -0400 Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown In-Reply-To: <46EC316E.6030203@enobrev.com> References: <46EA6E4A.9050504@secdat.com> <46EC0D3D.3040600@devonianfarm.com> <00c501c7f7b5$e5598920$6401a8c0@gamebox> <46EC316E.6030203@enobrev.com> Message-ID: <46EC3648.8020508@secdat.com> Mark, this all sounds very interesting. Nothing will improve your code nearly as much as letting other people see it. Get it on sourceforge! Release early! Release Often! Mark Armendariz wrote: > I'm a huge fan of SQL, and I've been using it for over 10 years. its > a solid and reliable friend. But it seems to be far too wordy and > gets hairy to maintain, which is why we tend to look for ways to > modularize it within our programming languages. When using SQL, we're > just working with strings. mysql_query('SELECT * FROM customers') is > as painful as using innerHTML in javascript. In some instances, you > just have to, but it 'feels right' to use the DOM, and the DOM allows > so much more power from a javascript perspective. > -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 From jcampbell1 at gmail.com Sat Sep 15 22:30:05 2007 From: jcampbell1 at gmail.com (John Campbell) Date: Sat, 15 Sep 2007 22:30:05 -0400 Subject: [nycphp-talk] PHP script needs some filter help In-Reply-To: References: Message-ID: <8f0676b40709151930w136168cdxa90051ca5be3589e@mail.gmail.com> > The situation: Our company's website host server only processes scripts in > php, python, cld fusion [not in asp - go figure]. Our website has three > seperate user information request forms on it; all were posted using a php > mail script. One day, all of a sudden, we get 20-30 bogus forms mail to us > per day. Annoying and alarming. So i went searching for some way to > control it. I managed to insert a php script with captcha into each. but, > we are still getting bogus forms sent to us. Not as many, but still > annoying and no fun...email header injections i take it? > > So, i tried to follow along and use some php includes that i found posted on > nyphp.org. After addiing some of the code and quite a few iterations, I'd > keep getting these parsing errors, and could never get it to work. Here is what I think is really happening, and a captcha isn't going to do a damn thing. Your script has a vulnerability that allows a spammer to use your company's webserver to send out mass emailings. You should fix the header injection, and the spammer will quit within a week or so. Technically, you are responsible for the spam, as it is being sent by your server and your company's email will get blacklisted soon. Don't allow user input into the header parameter of the mail() function. If you do, make sure and validate it (no newlines). Check your mail logs as well. Regards, John Campbell From brenttech at gmail.com Sun Sep 16 01:39:16 2007 From: brenttech at gmail.com (Brent Baisley) Date: Sun, 16 Sep 2007 01:39:16 -0400 Subject: [nycphp-talk] Emailing from a PHP script In-Reply-To: <004201c7f6d0$7cc0f780$0200a8c0@X9183> References: <004201c7f6d0$7cc0f780$0200a8c0@X9183> Message-ID: <5CFF5FC7-705C-4BC6-A532-DA5D2DC8FE1B@gmail.com> I think there are a few possible problems, the first is that you may be running windows. The mail() function really looks for sendmail installed under Unix, which is a pretty safe assumption since sendmail or postfix (which emulates sendmail) comes with just about all unix systems. But you need to have it configure in order for it to work, meaning your local machine has to be setup to be allowed to send email unauthenticated (i.e. an open relay). If your email server isn't set to "trust" the box you are on, you're not going to be able to send email. I would recommend downloading either swiftmail or phpmailer (I prefer swiftmail), which will allow you to point your script at any mail server, login and send an email. On Sep 14, 2007, at 9:09 AM, PaulCheung wrote: > Can anybody see what I am doing wrong?? > > I have set php.ini (as per the manual) to my email settings > ====================================== > [mail function] > ; For Win32 only. > SMTP = smtp.tiscali.co.uk > smtp_port = 25 > > ; For Win32 only. > sendmail_from = paulcheung at tiscali.co.uk > ======================================================== > I run the script and the following message appears > > Warning: mail() [function.mail]: Failed to connect to mailserver at > "localhost" port 25, verify your "SMTP" and "smtp_port" setting in > php.ini or use ini_set() in C:\xampp\htdocs\tp_access.php on line 61 > ======================================================== > script line 61 mail(to, subject, message, "From: > paulcheung at tiscali.co.uk"); > > Following the textbook example it should work - why am I directed > to localhost?? _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php From bz-gmort at beezifies.com Sun Sep 16 13:57:16 2007 From: bz-gmort at beezifies.com (Gary Mort) Date: Sun, 16 Sep 2007 13:57:16 -0400 Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown In-Reply-To: <46EC316E.6030203@enobrev.com> References: <46EA6E4A.9050504@secdat.com> <46EC0D3D.3040600@devonianfarm.com> <00c501c7f7b5$e5598920$6401a8c0@gamebox> <46EC316E.6030203@enobrev.com> Message-ID: <46ED6E7C.4010100@beezifies.com> Mark Armendariz wrote: > I'm a huge fan of SQL, and I've been using it for over 10 years. its > a solid and reliable friend. But it seems to be far too wordy and > gets hairy to maintain, which is why we tend to look for ways to > modularize it within our programming languages. Personally, my feeling has generally been that since the "wordy" SQL is generally performing the tasks of a lot of different functions, it is no wordier than writing the code in PHP. Nor is making objects necessarily less "work" than making functions. I started with SQL on an SQL/DS system and then moved over to DB2 over 15 years ago. At the time, SQL was powerful, it was it's own virtual mini language if you took the time to craft your queries carefully, and in a client server app on the slow network of the day(an 16MB Token Ring network) it just made sense to do as much processing and filtering as possible on the server, rather than transmit lots of data across the network and tie up the client's memory and bandwidth in processing it. Plus you got a lot of extra power in that processing of the data was the most CPU and memory intensive operation, it's a lot easier to add extra memory and upgrade the server than 50 clients. And tuning queries and indexes is can make things run faster without having a heavy coding impact. But back in those days we had a DB Admin, a Network admin, and a Programmer working together to determine the problems(and I was lucky enough to train in all 3 areas, plus the people I worked lacked many of the ego's I would later encounter. If a problem will take the DB Admin a couple hours to tweak the indexes and tune them for the queries, a couple days for the network admin to update the parameters in the network window sizes to fetch the result sets more efficiently, or a week for the programmer to recode everything to meet the current limitations - we took the business decision of correcting it in the Database. I was later to run into people who would insist that the "correct" solution was for someone else to fix it, no matter what the time involved.). When I went to MySQL it was a massive shock to lose so much functionality that the DB2 had. This was after years of looking at DB2 compared to Oracle and always saying "if only we could store blobs in the database like Oracle..." etc. But there was a good reason for this, MySQL was a lightweight database that eschewed many of these features in order to have the best performance it could. Plus it seemed rather obvious that the developers of it had gotten burned by a few of those features in the past. Over time, MySQL is still advancing, and has added many cool features of it's own. It also traditionally runs in an environment where you don't have a DBAdmin committed to just your applications. You don't have a network admin, as the application passes through many networks and you can't force them to tune for your app. So a lot of logic ends up getting pushed into the application. But I'd not give up on SQL programming. Heck, here is a simple benefit of SQL. I had to export data for half a dozen different tables I inherited on different reports. All I was doing was creating CSV files with a header. The procedural way of creating the report would be to pull the data, than create the file and header, than export all the rows parsing them out , knowing which are strings and which are numbers so you can determine which should be given quotes for importing into excel and which should be placed without quotes. The object way would be to create a master object, subclass it for each report, have a little createReport function unique to each one, etc. The SQL way was to use the handy little "as" function to name each of the obtusely named columns, so pno could become "Part Number". Also a little conversion to convert different application fine grained status codes into human readable summary codes(have 3 pending status codes for application logic is fine, but to the user they all mean the same thing - pending). Use a little data type checking in the PHP to determine which column was text and which was numbers, and create the file. If done purely with objects, you would need to create a new class for each report. Procedures means making some small changes and a new copy of the program for each report. With the bulk of the logic in the SQL, to make a "new" report all that is required is changing 1 line of code - the SQL query. Each tool has it's place for it's need. For me, the two main factors tend to be: Time: How much time will each one take. It's all well and good to say "this is the best solution, and doing it any other way is lazy". But when the question boils down to "you have 3 hours to do it" - you choose the solution that fits the time constraints. Other coders: If most of the coders working on a project use 1 style of coding, I like to follow the same style. And if there is a wealth of code out there that can adapted but it uses one style or another, I go with that style. Of course, this means I'm now working on rewriting a number of apps, on my own time, to use object oriented design as the bulk of other code and modules I use are now using that design. It makes for a jarring transition to go from one to the other, so I might as well learn now. From bz-gmort at beezifies.com Sun Sep 16 14:02:20 2007 From: bz-gmort at beezifies.com (Gary Mort) Date: Sun, 16 Sep 2007 14:02:20 -0400 Subject: [nycphp-talk] PHP script needs some filter help In-Reply-To: References: Message-ID: <46ED6FAC.8050308@beezifies.com> Christina Karlhoff wrote: > > The situation: Our company's website host server only processes > scripts in php, python, cld fusion [not in asp - go figure]. Our > website has three seperate user information request forms on it; all > were posted using a php mail script. One day, all of a sudden, we get > 20-30 bogus forms mail to us per day. Annoying and alarming. So i > went searching for some way to control it. I managed to insert a php > script with captcha into each. but, we are still getting bogus forms > sent to us. Not as many, but still annoying and no fun...email header > injections i take it? > Captcha prevents, to a degree, the automated use of your forms to send you email. It won't prevent someone from manually using those forms to send you email. Nor will it prevent someone from forging your email address and sending you spam. So without know why the forms are bogus, it's somewhat hard to tell what the problem is. As a first step, I'd make sure to code something so you track who submits an email through on a form(cookie plus ip address tracking along with placing a unique id for each email in the header) so you can compare the "spam" with your database and see where it is coming from. Than attack the problem from that perspective. If they all come from the same IP address range, add an extra captcha routine triggered just for them to confirm email. Reject their address entirely. Whatever. From paul at devonianfarm.com Sun Sep 16 14:38:38 2007 From: paul at devonianfarm.com (Paul Houle) Date: Sun, 16 Sep 2007 14:38:38 -0400 Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown In-Reply-To: <46EC316E.6030203@enobrev.com> References: <46EA6E4A.9050504@secdat.com> <46EC0D3D.3040600@devonianfarm.com> <00c501c7f7b5$e5598920$6401a8c0@gamebox> <46EC316E.6030203@enobrev.com> Message-ID: <46ED782E.3070303@devonianfarm.com> Mark Armendariz wrote: > > This might seem completely ridiculous and tear the idea to shreds if > you must, but I've been working on a library with it's own query > language that creates both the SQL and the PHP Objects to reference > everything returned. Though I've been working on it for quite some > time, it's still too early (read: messy) to offer it to the masses > (I'm successfully using it in 4 of my current small to medium sized > projects). > Over the past 10 years, every time I try to keep all my queries in one > place, whether it be with SQL or with some objects representing my > Database Tables, i end up with a bunch of functions named > getCustomers, getCustomer($id), getCustomersInNy, > getCustomersInTristate, so instead I made a language that allows > something like: > I'm really fascinated by ideas like this. Have you seen HQL, the query language that comes with the (Java-based) Hibernate ORM system? http://www.hibernate.org/hib_docs/reference/en/html/queryhql.html From edwardpotter at gmail.com Sun Sep 16 14:23:17 2007 From: edwardpotter at gmail.com (Edward Potter) Date: Sun, 16 Sep 2007 14:23:17 -0400 Subject: [nycphp-talk] Two part question: Shopping carts & E-commerce In-Reply-To: <016801c7f7c5$9820c190$6401a8c0@gamebox> References: <46D43B08.60009@beezifies.com> <70745236-EB98-4AC3-B754-4DC2A315323E@jonbaer.com> <46D47172.1000909@beezifies.com> <016801c7f7c5$9820c190$6401a8c0@gamebox> Message-ID: To the best of my knowledge I may have put one of the first "Shopping Carts" on the Web, I think it was back in '95-96'. I used perl is those days. They can get VERY complex, VERY, VERY fast - I suggest read all the above posts, twice! How's this one : one client wanted anything sent to Canada to be priced double or not sent at all, depending on the mood of his girlfriend, but only DVD items that had a romantic title, all was set back to normal in March, then he had a new girlfriend that lived in California, all the Cali customers got an extra 6% off, but only on collectible videos, not DVDs. And the inventory was in the thousands, how do you program for that? Yipes! good luck :-) ed On 9/15/07, Ben Sgro (ProjectSkyLine) wrote: > Hello, > > After speaking with a lot of people, it seems OSCommerce and Authorize.net > are a good team. > > However, after taking a look at CS-Cart, it does *look* nicer than > OScommerce. > > Does anyone have experiance with both of these carts? > > - Ben > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > -- the Blog: http://www.utopiaparkway.com the Karma: http://www.coderswithconscience.com the Projects: http://flickr.com/photos/86842405 at N00/ the Store: http://astore.amazon.com/httpwwwutopic-20 From nikola.mitic at gmail.com Sun Sep 16 16:24:01 2007 From: nikola.mitic at gmail.com (Nikola Mitic) Date: Sun, 16 Sep 2007 22:24:01 +0200 Subject: [nycphp-talk] Two part question: Shopping carts & E-commerce In-Reply-To: References: <46D43B08.60009@beezifies.com> <70745236-EB98-4AC3-B754-4DC2A315323E@jonbaer.com> <46D47172.1000909@beezifies.com> <016801c7f7c5$9820c190$6401a8c0@gamebox> Message-ID: <6b1dc5090709161324j1109f7ccq642fb4f815284d6f@mail.gmail.com> just working on candles website with Oscommerce SC and it is OK for basic use. You can also check X-cart that I was working 1 year ago. Things that are interesting in X-cart are: - Manufacturers - Wish lists - News management - Shipping methods - Taxing system - Edit ratings - Gift certificates You can also add modules like: - UPS OnLine(r) Tools - Users online - G Anallytics ... Best, Nikola Mitic http://www.twospots.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From cliff at pinestream.com Sun Sep 16 17:25:06 2007 From: cliff at pinestream.com (Cliff Hirsch) Date: Sun, 16 Sep 2007 17:25:06 -0400 Subject: [nycphp-talk] Book suggestions for web site management Message-ID: So I have all the php, mysql and Javascript books. I even have a few books on CSS and scale-out. But does anyone have suggestions, whether books, web site, articles, etc., for what I need to do to keep a complex LAMP-based server humming? I have a few Linux books and I?m sure my managed hosting provider will take care of most everything, but it would still make interesting reading. And I need to know what to ask them.... Cliff -------------- next part -------------- An HTML attachment was scrubbed... URL: From lk613m at yahoo.com Sun Sep 16 18:10:25 2007 From: lk613m at yahoo.com (LK) Date: Sun, 16 Sep 2007 15:10:25 -0700 (PDT) Subject: [nycphp-talk] Book suggestions for web site management Message-ID: <735295.34047.qm@web53304.mail.re2.yahoo.com> I use http://safari.oreilly.com/ For a $40/month subscription you can read thousands of IT books online. The entire database is searcheable and does not take any shelf space. I highly recommend it. -Leo ----- Original Message ---- From: Cliff Hirsch To: NYPHP Talk Sent: Sunday, September 16, 2007 5:25:06 PM Subject: [nycphp-talk] Book suggestions for web site management So I have all the php, mysql and Javascript books. I even have a few books on CSS and scale-out. But does anyone have suggestions, whether books, web site, articles, etc., for what I need to do to keep a complex LAMP-based server humming? I have a few Linux books and I?m sure my managed hosting provider will take care of most everything, but it would still make interesting reading. And I need to know what to ask them.... Cliff ____________________________________________________________________________________ Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase. http://farechase.yahoo.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmarscher at beaffinitive.com Sun Sep 16 19:47:06 2007 From: rmarscher at beaffinitive.com (Rob Marscher) Date: Sun, 16 Sep 2007 19:47:06 -0400 Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown In-Reply-To: <46EC316E.6030203@enobrev.com> References: <46EA6E4A.9050504@secdat.com> <46EC0D3D.3040600@devonianfarm.com> <00c501c7f7b5$e5598920$6401a8c0@gamebox> <46EC316E.6030203@enobrev.com> Message-ID: <4400D089-F617-45DD-ACC0-BCB7794732B1@beaffinitive.com> On Sep 15, 2007, at 3:24 PM, Mark Armendariz wrote: > Anyways, that's my take on SQL and ORM. Both - with an easily > manipulated and portable meta language. Sounds pretty cool. Ever thought of analyzing the queries used within an application and automatically generate (or suggest) indexes? Seems like your system might have self-analyzing capabilities to be able to do that. -Rob From lists at enobrev.com Sun Sep 16 20:02:45 2007 From: lists at enobrev.com (Mark Armendariz) Date: Sun, 16 Sep 2007 20:02:45 -0400 Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown In-Reply-To: <4400D089-F617-45DD-ACC0-BCB7794732B1@beaffinitive.com> References: <46EA6E4A.9050504@secdat.com> <46EC0D3D.3040600@devonianfarm.com> <00c501c7f7b5$e5598920$6401a8c0@gamebox> <46EC316E.6030203@enobrev.com> <4400D089-F617-45DD-ACC0-BCB7794732B1@beaffinitive.com> Message-ID: <46EDC425.2010805@enobrev.com> Rob Marscher wrote: > On Sep 15, 2007, at 3:24 PM, Mark Armendariz wrote: >> Anyways, that's my take on SQL and ORM. Both - with an easily >> manipulated and portable meta language. > Sounds pretty cool. Ever thought of analyzing the queries used within > an application and automatically generate (or suggest) indexes? Seems > like your system might have self-analyzing capabilities to be able to > do that. Working towards that as well. Currently has some basic profiling capabilities for finding the real nasty queries (reminiscent to adodb's). For the most part the multi-table queries tend to be pretty tight as long as the indexes are already set up. I've been considering what it would take to parse an explain and make suggestions for some time. The whole idea is something of a self-generating dao (or orm, i get the concepts and then I get them mixed up) that quietly caches itself out of existence over time, but sticks around for general maintenance when needed. I'm glad to see some interest. Good motivation to get this thing out in the world soon. Mark From lists at enobrev.com Sun Sep 16 20:10:51 2007 From: lists at enobrev.com (Mark Armendariz) Date: Sun, 16 Sep 2007 20:10:51 -0400 Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown In-Reply-To: <46ED782E.3070303@devonianfarm.com> References: <46EA6E4A.9050504@secdat.com> <46EC0D3D.3040600@devonianfarm.com> <00c501c7f7b5$e5598920$6401a8c0@gamebox> <46EC316E.6030203@enobrev.com> <46ED782E.3070303@devonianfarm.com> Message-ID: <46EDC60B.7090706@enobrev.com> Paul Houle wrote: > Mark Armendariz wrote: > I'm really fascinated by ideas like this. > > Have you seen HQL, the query language that comes with the > (Java-based) Hibernate ORM system? > > http://www.hibernate.org/hib_docs/reference/en/html/queryhql.html This is interesting, Paul. Thank you. I've read about TQL and a couple others (tons of del.icio.us links) and hadn't run across HQL. They seem to have quite a bit of inter-table relationship info in their queries which is what i really want to avoid, but otherwise, it's interesting to see how it's done. Thanks! Mark From christinak at wll.com Mon Sep 17 09:35:11 2007 From: christinak at wll.com (Christina Karlhoff) Date: Mon, 17 Sep 2007 09:35:11 -0400 Subject: [nycphp-talk] PHP script needs some filter help In-Reply-To: <2934ED1639B14D5E8FF6F5E75F0DE290@wlabs.local> References: <2934ED1639B14D5E8FF6F5E75F0DE290@wlabs.local> Message-ID: Hi Gary, Thanks, I appreciate your insight. At the moment, I'm afraid that I am not privvy to the correct implementation of php code to track a user's submission... I am going to look into php classes, and at the very least get somebody to design a custom php component for the company to use. -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Gary Mort Sent: Sunday, September 16, 2007 2:16 PM To: NYPHP Talk Subject: Re: [nycphp-talk] PHP script needs some filter help Christina Karlhoff wrote: > > The situation: Our company's website host server only processes > scripts in php, python, cld fusion [not in asp - go figure]. Our > website has three seperate user information request forms on it; all > were posted using a php mail script. One day, all of a sudden, we get > 20-30 bogus forms mail to us per day. Annoying and alarming. So i > went searching for some way to control it. I managed to insert a php > script with captcha into each. but, we are still getting bogus forms > sent to us. Not as many, but still annoying and no fun...email header > injections i take it? > Captcha prevents, to a degree, the automated use of your forms to send you email. It won't prevent someone from manually using those forms to send you email. Nor will it prevent someone from forging your email address and sending you spam. So without know why the forms are bogus, it's somewhat hard to tell what the problem is. As a first step, I'd make sure to code something so you track who submits an email through on a form(cookie plus ip address tracking along with placing a unique id for each email in the header) so you can compare the "spam" with your database and see where it is coming from. Than attack the problem from that perspective. If they all come from the same IP address range, add an extra captcha routine triggered just for them to confirm email. Reject their address entirely. Whatever. _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php From tedd at sperling.com Mon Sep 17 09:48:49 2007 From: tedd at sperling.com (tedd) Date: Mon, 17 Sep 2007 09:48:49 -0400 Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown In-Reply-To: <46EDC425.2010805@enobrev.com> References: <46EA6E4A.9050504@se cdat.com> <46EC0D3D.3040600@devonianfarm.com> <00c501c7f7b5$e5598920$6401a8c0@gamebox> <46EC316E.6030203@enobrev.com> <4400D089-F617-45DD-ACC0-BCB7794732B1@beaffinitive.com> <46EDC425.2010805@enobrev.com> Message-ID: At 8:02 PM -0400 9/16/07, Mark Armendariz wrote: >Rob Marscher wrote: >>On Sep 15, 2007, at 3:24 PM, Mark Armendariz wrote: >>>Anyways, that's my take on SQL and ORM. Both - with an easily >>>manipulated and portable meta language. >>Sounds pretty cool. Ever thought of analyzing the queries used >>within an application and automatically generate (or suggest) >>indexes? Seems like your system might have self-analyzing >>capabilities to be able to do that. >Working towards that as well. Currently has some basic profiling >capabilities for finding the real nasty queries (reminiscent to >adodb's). For the most part the multi-table queries tend to be >pretty tight as long as the indexes are already set up. I've been >considering what it would take to parse an explain and make >suggestions for some time. > >The whole idea is something of a self-generating dao (or orm, i get >the concepts and then I get them mixed up) that quietly caches >itself out of existence over time, but sticks around for general >maintenance when needed. I'm glad to see some interest. Good >motivation to get this thing out in the world soon. > >Mark In regard to self-analyzing, it would be nice to have the option to select what types of search methodologies the dB uses, such as splay. Cheers, tedd -- ------- http://sperling.com http://ancientstones.com http://earthstones.com From bz-gmort at beezifies.com Mon Sep 17 10:07:38 2007 From: bz-gmort at beezifies.com (Gary Mort) Date: Mon, 17 Sep 2007 10:07:38 -0400 Subject: [nycphp-talk] PHP script needs some filter help In-Reply-To: References: <2934ED1639B14D5E8FF6F5E75F0DE290@wlabs.local> Message-ID: <46EE8A2A.9090207@beezifies.com> Christina Karlhoff wrote: > Hi Gary, > > Thanks, I appreciate your insight. > > At the moment, I'm afraid that I am not privvy to the correct > implementation of php code to track a user's submission... > I make it up as I go along. :-) You have a PHP form that sends an email. So, at the very least, find where the mail is sent to the internal user(don't do this for the copy sent to the submitter, assuming you are sending a copy to the submitter which, if your getting spam, is a very very bad thing to do) Assume that your message is stored in a text variable called $message. $message .= " The submitters ip address was "; $message .= $_SERVER[?REMOTE_ADDR?]; $message .= " and the secret code is YoLarry"; The point of this little bit of text is twofold: 1) It will tell you the ip address of the system that is submitting spam through your form. 2) The secret code is just a stupid little phrase to add so that the email came through your own form generator. As you may have someone who is spoofing the address the form generator uses but sending spam externally(ie your form may be fine and it may be something outside of PHP causing the problems). Note: A better solution is to add those 2 items to the header, not the email body. Plus adding some extra tracking info, a cookie, the browser type, capabilities, etc. Basically, track your submissions and find out what, if any, is unique about the spam submissions that can be used to filter it. What I would really do at that point is manually create the message id and store that in a database somewhere and do some reconcillation between the spam email and the emails generated by the form to ensure their the same. Basically, the main point I'm making is that right now your getting spam. You think it comes from this form. Make SURE it comes from the form itself before you go spending time trying to figure out how to stop the form from sending spam. Also note that if you are getting spam, you may not be the target of the spam. If you allow someone to CC themselves on an email, what you may have is a spammer who is trying to send spam to other people(by claiming to be them and asking to be cc'd on the email). This is a quick and dirty troubleshooting step, not a long term solution. A long term solution would be to build a more comprehensive tracking system for the emails, make sure it is as secure as possible, and take things step by step. (if you absolutely HAVE to allow everyone to send email to you through this form, you could send submitted emails through a spam filter and quarantine the spam on the server and just send the users a report every few hours "X new emails in Quarantine".) From mitch.pirtle at gmail.com Mon Sep 17 11:09:06 2007 From: mitch.pirtle at gmail.com (Mitch Pirtle) Date: Mon, 17 Sep 2007 11:09:06 -0400 Subject: [nycphp-talk] Two part question: Shopping carts & E-commerce In-Reply-To: <6b1dc5090709161324j1109f7ccq642fb4f815284d6f@mail.gmail.com> References: <46D43B08.60009@beezifies.com> <70745236-EB98-4AC3-B754-4DC2A315323E@jonbaer.com> <46D47172.1000909@beezifies.com> <016801c7f7c5$9820c190$6401a8c0@gamebox> <6b1dc5090709161324j1109f7ccq642fb4f815284d6f@mail.gmail.com> Message-ID: <330532b60709170809g53fa49eg86877780423957fa@mail.gmail.com> I can't believe nobody's mentioned Magento yet: http://www.magentocommerce.com/ That's the one I'm taking a very very close look at... -- Mitch, impressed easily with all the pretty screens *blush* From ben at projectskyline.com Mon Sep 17 11:25:58 2007 From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine)) Date: Mon, 17 Sep 2007 11:25:58 -0400 Subject: [nycphp-talk] Two part question: Shopping carts & E-commerce References: <46D43B08.60009@beezifies.com><70745236-EB98-4AC3-B754-4DC2A315323E@jonbaer.com><46D47172.1000909@beezifies.com><016801c7f7c5$9820c190$6401a8c0@gamebox><6b1dc5090709161324j1109f7ccq642fb4f815284d6f@mail.gmail.com> <330532b60709170809g53fa49eg86877780423957fa@mail.gmail.com> Message-ID: <00af01c7f93f$0ccd8580$6401a8c0@gamebox> Hello Mitch, This product looks great. A lot nicer than OSCommerce in terms of look. Not sure it if functions better, since I've yet to use OSCommerce or any cart for that matter. I'm going to look at it in detail now ... Thanks for mentioning this! - Ben ----- Original Message ----- From: "Mitch Pirtle" To: "NYPHP Talk" Sent: Monday, September 17, 2007 11:09 AM Subject: Re: [nycphp-talk] Two part question: Shopping carts & E-commerce >I can't believe nobody's mentioned Magento yet: > > http://www.magentocommerce.com/ > > That's the one I'm taking a very very close look at... > > -- Mitch, impressed easily with all the pretty screens *blush* > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php From bz-gmort at beezifies.com Mon Sep 17 11:35:15 2007 From: bz-gmort at beezifies.com (Gary Mort) Date: Mon, 17 Sep 2007 11:35:15 -0400 Subject: [nycphp-talk] Two part question: Shopping carts & E-commerce In-Reply-To: <330532b60709170809g53fa49eg86877780423957fa@mail.gmail.com> References: <46D43B08.60009@beezifies.com> <70745236-EB98-4AC3-B754-4DC2A315323E@jonbaer.com> <46D47172.1000909@beezifies.com> <016801c7f7c5$9820c190$6401a8c0@gamebox> <6b1dc5090709161324j1109f7ccq642fb4f815284d6f@mail.gmail.com> <330532b60709170809g53fa49eg86877780423957fa@mail.gmail.com> Message-ID: <46EE9EB3.700@beezifies.com> Mitch Pirtle wrote: > I can't believe nobody's mentioned Magento yet: > > http://www.magentocommerce.com/ > Magento? Ewww.. Now if they called it Magneto..... From cliff at pinestream.com Mon Sep 17 11:38:45 2007 From: cliff at pinestream.com (Cliff Hirsch) Date: Mon, 17 Sep 2007 11:38:45 -0400 Subject: [nycphp-talk] Two part question: Shopping carts & E-commerce In-Reply-To: <330532b60709170809g53fa49eg86877780423957fa@mail.gmail.com> Message-ID: On 9/17/07 11:09 AM, "Mitch Pirtle" wrote: > I can't believe nobody's mentioned Magento yet: > > http://www.magentocommerce.com/ > > That's the one I'm taking a very very close look at... Not production yet, last time I checked, but looks interesting. From edwardpotter at gmail.com Mon Sep 17 14:09:52 2007 From: edwardpotter at gmail.com (Edward Potter) Date: Mon, 17 Sep 2007 14:09:52 -0400 Subject: [nycphp-talk] Two part question: Shopping carts & E-commerce In-Reply-To: References: <330532b60709170809g53fa49eg86877780423957fa@mail.gmail.com> Message-ID: http://www.magentocommerce.com/ wow, looks VERY slick, have not yet looked at the source, but so far looks very slick.... I think osCommerce has kinda of run it's life span. IMHO On 9/17/07, Cliff Hirsch wrote: > On 9/17/07 11:09 AM, "Mitch Pirtle" wrote: > > I can't believe nobody's mentioned Magento yet: > > > > http://www.magentocommerce.com/ > > > > That's the one I'm taking a very very close look at... > > Not production yet, last time I checked, but looks interesting. > > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > -- the Blog: http://www.utopiaparkway.com the Karma: http://www.coderswithconscience.com the Projects: http://flickr.com/photos/86842405 at N00/ the Store: http://astore.amazon.com/httpwwwutopic-20 From christinak at wll.com Mon Sep 17 14:37:34 2007 From: christinak at wll.com (Christina Karlhoff) Date: Mon, 17 Sep 2007 14:37:34 -0400 Subject: [nycphp-talk] PHP script needs some filter help In-Reply-To: <090F13186BF5429EBCC8CCBBF85C7111@wlabs.local> References: <2934ED1639B14D5E8FF6F5E75F0DE290@wlabs.local> <090F13186BF5429EBCC8CCBBF85C7111@wlabs.local> Message-ID: >>A better solution is to add those 2 items to the header, not the email body. Plus adding some extra tracking info, a cookie, the browser type, capabilities, etc. Basically, track your submissions and find out what, if any, is unique about the spam submissions that can be used to filter it.<< Ok...so now I take what you provided below, and add its contents to the header, like this? $header = "Return-Path: ".$mailuser."\r\n"; $header .= "From: form with captcha <".$mailuser.">\r\n"; $header .= "Content-Type: text/plain;"; $header .= "message info: ".$message."; Or... ...do I define it as you provided below, and make it appear as part of the mail message body like this? $mail_body = ' The submitters ip address was '$_SERVER['REMOTE_ADDR'].' The User: '.$_POST[Company].' has sent a request for general information.; The secret code is YoLarry' =\ Christina~ -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Gary Mort Sent: Monday, September 17, 2007 10:45 AM To: NYPHP Talk Subject: Re: [nycphp-talk] PHP script needs some filter help Christina Karlhoff wrote: > Hi Gary, > > Thanks, I appreciate your insight. > > At the moment, I'm afraid that I am not privvy to the correct > implementation of php code to track a user's submission... > I make it up as I go along. :-) You have a PHP form that sends an email. So, at the very least, find where the mail is sent to the internal user(don't do this for the copy sent to the submitter, assuming you are sending a copy to the submitter which, if your getting spam, is a very very bad thing to do) Assume that your message is stored in a text variable called $message. $message .= " The submitters ip address was "; $message .= $_SERVER['REMOTE_ADDR']; $message .= " and the secret code is YoLarry"; The point of this little bit of text is twofold: 1) It will tell you the ip address of the system that is submitting spam through your form. 2) The secret code is just a stupid little phrase to add so that the email came through your own form generator. As you may have someone who is spoofing the address the form generator uses but sending spam externally(ie your form may be fine and it may be something outside of PHP causing the problems). Note: A better solution is to add those 2 items to the header, not the email body. Plus adding some extra tracking info, a cookie, the browser type, capabilities, etc. Basically, track your submissions and find out what, if any, is unique about the spam submissions that can be used to filter it. What I would really do at that point is manually create the message id and store that in a database somewhere and do some reconcillation between the spam email and the emails generated by the form to ensure their the same. Basically, the main point I'm making is that right now your getting spam. You think it comes from this form. Make SURE it comes from the form itself before you go spending time trying to figure out how to stop the form from sending spam. Also note that if you are getting spam, you may not be the target of the spam. If you allow someone to CC themselves on an email, what you may have is a spammer who is trying to send spam to other people(by claiming to be them and asking to be cc'd on the email). This is a quick and dirty troubleshooting step, not a long term solution. A long term solution would be to build a more comprehensive tracking system for the emails, make sure it is as secure as possible, and take things step by step. (if you absolutely HAVE to allow everyone to send email to you through this form, you could send submitted emails through a spam filter and quarantine the spam on the server and just send the users a report every few hours "X new emails in Quarantine".) _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php From jonbaer at jonbaer.com Mon Sep 17 17:38:13 2007 From: jonbaer at jonbaer.com (Jon Baer) Date: Mon, 17 Sep 2007 17:38:13 -0400 Subject: [nycphp-talk] php|works 07 slides Message-ID: <3BB27F05-89EB-40CD-A7B1-B16636033D79@jonbaer.com> For those interested ... Paul Jones put up his 2 slides - excellent topics - @ his blog here: http://paul-m-jones.com/blog/ * Framework and Application Benchmarking * Organizing Your PHP Project Was trying to locate a few others from the schedule w/o luck, anyone have a repository link? Hearing it was a great conference. Thanks. - Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: From jonbaer at jonbaer.com Mon Sep 17 17:42:10 2007 From: jonbaer at jonbaer.com (Jon Baer) Date: Mon, 17 Sep 2007 17:42:10 -0400 Subject: [nycphp-talk] Re: php|works 07 slides In-Reply-To: <3BB27F05-89EB-40CD-A7B1-B16636033D79@jonbaer.com> References: <3BB27F05-89EB-40CD-A7B1-B16636033D79@jonbaer.com> Message-ID: <62CCD347-2937-4548-95C5-23D5B66D9979@jonbaer.com> Actually found the one I was looking for ... http://sizzo.org/wp/talks/ * Facebook Performance Caching Anyone know if there will be / was video? - Jon On Sep 17, 2007, at 5:38 PM, Jon Baer wrote: > For those interested ... Paul Jones put up his 2 slides - excellent > topics - @ his blog here: > > http://paul-m-jones.com/blog/ > > * Framework and Application Benchmarking > * Organizing Your PHP Project > > Was trying to locate a few others from the schedule w/o luck, > anyone have a repository link? Hearing it was a great conference. > > Thanks. > > - Jon > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pmjones88 at gmail.com Mon Sep 17 17:47:11 2007 From: pmjones88 at gmail.com (Paul M Jones) Date: Mon, 17 Sep 2007 16:47:11 -0500 Subject: [nycphp-talk] php|works 07 slides In-Reply-To: <3BB27F05-89EB-40CD-A7B1-B16636033D79@jonbaer.com> References: <3BB27F05-89EB-40CD-A7B1-B16636033D79@jonbaer.com> Message-ID: <5D1AD2FF-E381-41DF-AF1D-466283E3FB57@gmail.com> On Sep 17, 2007, at 4:38 PM, Jon Baer wrote: > For those interested ... Paul Jones put up his 2 slides - excellent > topics - @ his blog here: > > http://paul-m-jones.com/blog/ > > * Framework and Application Benchmarking > * Organizing Your PHP Project > > Was trying to locate a few others from the schedule w/o luck, > anyone have a repository link? Hearing it was a great conference. Hey Jon -- it was a good conference, thanks for the compliments. The slides from all the talks (well, all the slides that got turned in, anyway) are at this location: -- Paul M. Jones Solar: Simple Object Library and Application Repository for PHP5. Join the Solar community wiki! Savant: The simple, elegant, and powerful solution for templates in PHP. From jonbaer at jonbaer.com Mon Sep 17 17:52:59 2007 From: jonbaer at jonbaer.com (Jon Baer) Date: Mon, 17 Sep 2007 17:52:59 -0400 Subject: [nycphp-talk] php|works 07 slides In-Reply-To: <5D1AD2FF-E381-41DF-AF1D-466283E3FB57@gmail.com> References: <3BB27F05-89EB-40CD-A7B1-B16636033D79@jonbaer.com> <5D1AD2FF-E381-41DF-AF1D-466283E3FB57@gmail.com> Message-ID: Nice, thanks Paul! - Jon On Sep 17, 2007, at 5:47 PM, Paul M Jones wrote: > On Sep 17, 2007, at 4:38 PM, Jon Baer wrote: > >> For those interested ... Paul Jones put up his 2 slides - >> excellent topics - @ his blog here: >> >> http://paul-m-jones.com/blog/ >> >> * Framework and Application Benchmarking >> * Organizing Your PHP Project >> >> Was trying to locate a few others from the schedule w/o luck, >> anyone have a repository link? Hearing it was a great conference. > > Hey Jon -- it was a good conference, thanks for the compliments. > > The slides from all the talks (well, all the slides that got turned > in, anyway) are at this location: > > > > From elharo at metalab.unc.edu Wed Sep 19 05:41:21 2007 From: elharo at metalab.unc.edu (Elliotte Harold) Date: Wed, 19 Sep 2007 05:41:21 -0400 Subject: [nycphp-talk] AJAX and State In-Reply-To: <46E14E2C.2030506@secdat.com> References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu> <46E12D4A.2010204@secdat.com> <46E12F93.4040700@metalab.unc.edu> <46E132B0.9010400@secdat.com> <46E138C2.3040307@metalab.unc.edu> <46E14E2C.2030506@secdat.com> Message-ID: <46F0EEC1.5030608@metalab.unc.edu> Kenneth Downs wrote: > That can only be done if the password is stored on the browser between > requests. No thanks! I don't know about your browser but mine (and those of most of the people I know) store lots of passwords pretty much all the time. I prefer to trust Firefox's encryption and security to my ability to remember umpteen different passwords. > At any rate, in principle I believe that sessions are a bad way to do > things, they just have that bag-on-the-side feel. The only permanent > use of a session in Andromeda is to store user information, notably > user_id and password. I do this only because I am not aware of a secure > session-less alternative. Any ideas are welcome. The key idea is that all authentication data is transmitted with each request, not merely a session token. There may well be ways to make that authentication data something other than a username and password. You may wish to explore what Amazon E3 does. They have some sort of unique private-key/public key encryption scheme that might suit you. Google GData also has some sort of strange, custom authentication scheme though I haven't explored it in detail. -- Elliotte Rusty Harold elharo at metalab.unc.edu Java I/O 2nd Edition Just Published! http://www.cafeaulait.org/books/javaio2/ http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/ From elharo at metalab.unc.edu Wed Sep 19 05:43:43 2007 From: elharo at metalab.unc.edu (Elliotte Harold) Date: Wed, 19 Sep 2007 05:43:43 -0400 Subject: [nycphp-talk] AJAX and State In-Reply-To: References: <46DD54B0.5060803@secdat.com> <07f701c7efb3$52f6a9f0$651ba8c0@MobileZ> <46DE9F28.5060705@beezifies.com> <46DEB1C4.2010205@enobrev.com> <46E124F0.7020309@metalab.unc.edu> Message-ID: <46F0EF4F.7040702@metalab.unc.edu> tedd wrote: > My solution is to simply require them to log-in and set a session auth > variable to OK and turn them loose. Then they have access to all the > goodies. > > While what they ask for on the site is provided in the URL via a GET, > and as such, they could bookmark it and/or send the URL to someone else > -- but they can't get at the goodies without being logged-in (i.e., > session auth variable set to OK). > > Again, all pretty simple stuff. > > This works for me -- but, how do you do this without using sessions? > HTTP basic or digest authentication would do exactly this with less work on your part. There are other alternatives if that doesn't meet your needs, but HTTP authentication is by far the simplest approach. -- Elliotte Rusty Harold elharo at metalab.unc.edu Java I/O 2nd Edition Just Published! http://www.cafeaulait.org/books/javaio2/ http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/ From elharo at metalab.unc.edu Wed Sep 19 05:48:25 2007 From: elharo at metalab.unc.edu (Elliotte Harold) Date: Wed, 19 Sep 2007 05:48:25 -0400 Subject: [nycphp-talk] AJAX and State In-Reply-To: <20070912214433.GA11305@panix.com> References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu> <46E12D4A.2010204@secdat.com> <46E12F93.4040700@metalab.unc.edu> <46E132B0.9010400@secdat.com> <46E138C2.3040307@metalab.unc.edu> <20070912214433.GA11305@panix.com> Message-ID: <46F0F069.3000206@metalab.unc.edu> Daniel Convissor wrote: > On Fri, Sep 07, 2007 at 07:40:50AM -0400, Elliotte Harold wrote: >> Nonetheless, the username and password should be transmitted with each >> request (in the HTTP header, not the URL) > > Are you saying the web browser should send the user name and password to > the HTTP server on each request? That's a lousy idea. > Yes I am, and it's not a lousy idea. This follows directly from the core principles of HTTP. HTTP Basic authentication does that. HTTP digest is a little more complex. And there are some other alternatives. However the fundamental principle is that full auth data must be sent with each request. Breaking that rule is going to cost you big time when you need to scale an application. It very well may introduce single points of failure into your app. You can architect around those, but only at the cost of doing a lot more work with a lot more machines than you would have had to do if your app had followed the design of HTTP instead of working against it. -- Elliotte Rusty Harold elharo at metalab.unc.edu Java I/O 2nd Edition Just Published! http://www.cafeaulait.org/books/javaio2/ http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/ From ken at secdat.com Wed Sep 19 06:56:37 2007 From: ken at secdat.com (Kenneth Downs) Date: Wed, 19 Sep 2007 06:56:37 -0400 Subject: [nycphp-talk] AJAX and State In-Reply-To: <46F0F069.3000206@metalab.unc.edu> References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu> <46E12D4A.2010204@secdat.com> <46E12F93.4040700@metalab.unc.edu> <46E132B0.9010400@secdat.com> <46E138C2.3040307@metalab.unc.edu> <20070912214433.GA11305@panix.com> <46F0F069.3000206@metalab.unc.edu> Message-ID: <46F10065.5030606@secdat.com> Elliotte Harold wrote: > Daniel Convissor wrote: >> On Fri, Sep 07, 2007 at 07:40:50AM -0400, Elliotte Harold wrote: >>> Nonetheless, the username and password should be transmitted with >>> each request (in the HTTP header, not the URL) >> >> Are you saying the web browser should send the user name and password >> to the HTTP server on each request? That's a lousy idea. >> > > Yes I am, and it's not a lousy idea. This follows directly from the > core principles of HTTP. HTTP Basic authentication does that. HTTP > digest is a little more complex. And there are some other > alternatives. However the fundamental principle is that full auth data > must be sent with each request. > > Breaking that rule is going to cost you big time when you need to > scale an application. It very well may introduce single points of > failure into your app. You can architect around those, but only at the > cost of doing a lot more work with a lot more machines than you would > have had to do if your app had followed the design of HTTP instead of > working against it. > It is actually very appealing from the overall design viewpoint. Since Andromeda logs you in to db server with the credentials you supply (instead of something generic) then we have lost all need for state. The itch though is in entrusting the uid/pw to the browser's memory, which is easily exploitable. I simply cannot believe that that data is adequately protected on an IE/Windows machine. But then on the third hand the browser is trapping passwords anyway with various wallet mechanisms that I cannot prevent, so what the heck, right? Right now I'm considering the judgment call between those two ideas. -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 From ken at secdat.com Wed Sep 19 06:58:41 2007 From: ken at secdat.com (Kenneth Downs) Date: Wed, 19 Sep 2007 06:58:41 -0400 Subject: [nycphp-talk] AJAX and State In-Reply-To: <46F0EEC1.5030608@metalab.unc.edu> References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu> <46E12D4A.2010204@secdat.com> <46E12F93.4040700@metalab.unc.edu> <46E132B0.9010400@secdat.com> <46E138C2.3040307@metalab.unc.edu> <46E14E2C.2030506@secdat.com> <46F0EEC1.5030608@metalab.unc.edu> Message-ID: <46F100E1.7090701@secdat.com> Elliotte Harold wrote: > Kenneth Downs wrote: > >> That can only be done if the password is stored on the browser >> between requests. No thanks! > > I don't know about your browser but mine (and those of most of the > people I know) store lots of passwords pretty much all the time. I > prefer to trust Firefox's encryption and security to my ability to > remember umpteen different passwords. Me too, except that my customers still run IE on Windows. > >> At any rate, in principle I believe that sessions are a bad way to do >> things, they just have that bag-on-the-side feel. The only permanent >> use of a session in Andromeda is to store user information, notably >> user_id and password. I do this only because I am not aware of a >> secure session-less alternative. Any ideas are welcome. > > You may wish to explore what Amazon E3 does. They have some sort of > unique private-key/public key encryption scheme that might suit you. > Google GData also has some sort of strange, custom authentication > scheme though I haven't explored it in detail. > You can issue them a key as well, and require that key. That adds trouble to the login process, but does produce greater security. -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 From david at davidmintz.org Wed Sep 19 16:34:59 2007 From: david at davidmintz.org (David Mintz) Date: Wed, 19 Sep 2007 16:34:59 -0400 Subject: [nycphp-talk] what's up with array_diff() Message-ID: <721f1cc50709191334q4faeaf4aya0fde47d69152f91@mail.gmail.com> The description of array_diff at http://www.php.net/manual/en/function.array-diff.php says it computes the difference between the arrays you pass it, and returns that difference as an array. The behavior is that it finds and returns an array of elements that are present in the first argument that are not present in the following arguments, so the order in which you pass in your arrays is all-important. I am trying to find out if two arrays are different from each other or not. I can sort() and then compare with ==, but I thought this might be more elegant. Now I am looking at if (array_diff($one,$two) or array_diff($two,$one)) { /* do something */ } but I wonder if anyone can suggest a better way. Thanks. -- David Mintz http://davidmintz.org/ The subtle source is clear and bright The tributary streams flow through the darkness -------------- next part -------------- An HTML attachment was scrubbed... URL: From ramons at gmx.net Wed Sep 19 18:47:18 2007 From: ramons at gmx.net (David Krings) Date: Wed, 19 Sep 2007 18:47:18 -0400 Subject: [nycphp-talk] what's up with array_diff() In-Reply-To: <721f1cc50709191334q4faeaf4aya0fde47d69152f91@mail.gmail.com> References: <721f1cc50709191334q4faeaf4aya0fde47d69152f91@mail.gmail.com> Message-ID: <46F1A6F6.9020007@gmx.net> David Mintz wrote: > Now I am looking at > > if (array_diff($one,$two) or array_diff($two,$one)) { > /* do something */ > } > > but I wonder if anyone can suggest a better way. > I can only think of a worse way by looping through one array and seeing if the key/value pair exists in the other one. That might be OK for small arrays, but my assumption is that array_diff is way more optimized. I just wonder how if() will evaluate an array. Also, when the arrays are identical the return value is an empty array. Again, I am not sure if if() evaluates and empty array differently than an array with stuff in it. Also, comments on php.net indicate that when one array in fact is not array the return value of array_diff is NULL. So, you probably need to run array_diff and then check the count of the resulting array. If it is anything else other than 0 the arrays are different. In theory, haven't tried that out. Good luck! David K. From ikedrin at clinicaladvisors.com Wed Sep 19 23:39:00 2007 From: ikedrin at clinicaladvisors.com (Ivan Kedrin) Date: Wed, 19 Sep 2007 23:39:00 -0400 Subject: [nycphp-talk] what's up with array_diff() In-Reply-To: <721f1cc50709191334q4faeaf4aya0fde47d69152f91@mail.gmail.com> References: <721f1cc50709191334q4faeaf4aya0fde47d69152f91@mail.gmail.com> Message-ID: <051e01c7fb37$c81b16a0$0b01a8c0@tokra> take a look at http://us.php.net/operators.comparison for some suggestions: function array_equal($a, $b) { return (is_array($a) && is_array($b) && array_diff($a, $b) === array_diff($b, $a)); } function array_identical($a, $b) { return (is_array($a) && is_array($b) && array_diff_assoc($a, $b) === array_diff_assoc($b, $a)); } alternatively, you could always serialize() and compare using == if your definition of "equals" requires them to be identical in every respect including order of the keys and if you don't care about overhead related to serialization. there are probably also some shortcuts that could save some cpu cycles but it depends on the type of data you got in your arrays, array size, etc. -ivan kedrin _____ From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of David Mintz Sent: Wednesday, September 19, 2007 4:35 PM To: NYPHP Talk Subject: [nycphp-talk] what's up with array_diff() The description of array_diff at http://www.php.net/manual/en/function.array-diff.php says it computes the difference between the arrays you pass it, and returns that difference as an array. The behavior is that it finds and returns an array of elements that are present in the first argument that are not present in the following arguments, so the order in which you pass in your arrays is all-important. I am trying to find out if two arrays are different from each other or not. I can sort() and then compare with ==, but I thought this might be more elegant. Now I am looking at if (array_diff($one,$two) or array_diff($two,$one)) { /* do something */ } but I wonder if anyone can suggest a better way. Thanks. -- David Mintz http://davidmintz.org/ The subtle source is clear and bright The tributary streams flow through the darkness -------------- next part -------------- An HTML attachment was scrubbed... URL: From david at davidmintz.org Thu Sep 20 09:34:24 2007 From: david at davidmintz.org (David Mintz) Date: Thu, 20 Sep 2007 09:34:24 -0400 Subject: [nycphp-talk] what's up with array_diff() In-Reply-To: <051e01c7fb37$c81b16a0$0b01a8c0@tokra> References: <721f1cc50709191334q4faeaf4aya0fde47d69152f91@mail.gmail.com> <051e01c7fb37$c81b16a0$0b01a8c0@tokra> Message-ID: <721f1cc50709200634y7631d3d2ie4317453a4ad2f98@mail.gmail.com> Interesting -- thank you gentlemen. Actually this whole thing stems from the issue of inserting/deleting related rows from an intersection table in a many-to-many scenario, and keeping the view consistent with the model in an Ajaxy way. Maybe I will commence a new thread. On 9/19/07, Ivan Kedrin wrote: > > take a look at http://us.php.net/operators.comparison for some > suggestions: > > > > function array_equal($a, $b) { > return (is_array($a) && is_array($b) && array_diff($a, $b) === > array_diff($b, $a)); > } > > > > function array_identical($a, $b) { > return (is_array($a) && is_array($b) && array_diff_assoc($a, $b) === > array_diff_assoc($b, $a)); > } > > > > alternatively, you could always serialize() and compare using == if your > definition of "equals" requires them to be identical in every respect > including order of the keys and if you don't care about overhead related to > serialization. there are probably also some shortcuts that could save some > cpu cycles but it depends on the type of data you got in your arrays, array > size, etc. > > > > -ivan kedrin > > > ------------------------------ > > *From:* talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] > *On Behalf Of *David Mintz > *Sent:* Wednesday, September 19, 2007 4:35 PM > *To:* NYPHP Talk > *Subject:* [nycphp-talk] what's up with array_diff() > > > > > The description of array_diff at > http://www.php.net/manual/en/function.array-diff.php says it computes the > difference between the arrays you pass it, and returns that difference as an > array. > > The behavior is that it finds and returns an array of elements that are > present in the first argument that are not present in the following > arguments, so the order in which you pass in your arrays is all-important. > > I am trying to find out if two arrays are different from each other or > not. I can sort() and then compare with ==, but I thought this might be more > elegant. > > Now I am looking at > > if (array_diff($one,$two) or array_diff($two,$one)) { > /* do something */ > } > > but I wonder if anyone can suggest a better way. > > Thanks. > > -- > David Mintz > http://davidmintz.org/ > > The subtle source is clear and bright > The tributary streams flow through the darkness > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > -- David Mintz http://davidmintz.org/ The subtle source is clear and bright The tributary streams flow through the darkness -------------- next part -------------- An HTML attachment was scrubbed... URL: From anangtt at hotmail.com Thu Sep 20 12:57:06 2007 From: anangtt at hotmail.com (anan tette-tawia) Date: Thu, 20 Sep 2007 12:57:06 -0400 Subject: [nycphp-talk] Craigslist Integration Message-ID: Integration with Craigslist Has anyone developed a system that integrated with Craigslist housing and apartments portal before. My client is a real estate agent who wants to be able to upload new property info onto his site and then have it also posted on craigslist if he checks a particular button. The problem is that i have been doing researching on finding any such API or document that explains how to achieve this type of integration with craigslist without much success. I would greatly appreciate any assistance from this list. thanx, Anang -------------- next part -------------- An HTML attachment was scrubbed... URL: From dcech at phpwerx.net Thu Sep 20 13:10:03 2007 From: dcech at phpwerx.net (Dan Cech) Date: Thu, 20 Sep 2007 13:10:03 -0400 Subject: [nycphp-talk] Craigslist Integration In-Reply-To: References: Message-ID: <46F2A96B.8030402@phpwerx.net> anan tette-tawia wrote: > Has anyone developed a system that integrated with Craigslist housing > and apartments portal before. My client is a real estate agent who > wants to be able to upload new property info onto his site and then > have it also posted on craigslist if he checks a particular button. > > The problem is that i have been doing researching on finding any such > API or document that explains how to achieve this type of integration > with craigslist without much success. I would greatly appreciate any > assistance from this list. I think you will find that there is no documentation because this kind of thing is expressly forbidden by the Craigslist Terms of Use. > y) use any form of automated device or computer program that enables the > submission of postings on craigslist without each posting being manually > entered by the author thereof (an "automated posting device"), including > without limitation, the use of any such automated posting device to submit > postings in bulk, or for automatic submission of postings at regular intervals. http://www.craigslist.org/about/terms.of.use.html#conduct Dan From ben at projectskyline.com Thu Sep 20 13:17:34 2007 From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine)) Date: Thu, 20 Sep 2007 13:17:34 -0400 Subject: [nycphp-talk] Craigslist Integration References: <46F2A96B.8030402@phpwerx.net> Message-ID: <01bf01c7fbaa$237c4fb0$6401a8c0@gamebox> Hello, There are some 3rd party apps you can purchase that do this. I've written code in perl to do reply to postings based on certain "weights" with/in the post. I've looked into the writing auto-post code, but its a bit more complicated w/the CAPTCHAs and pop checking. - Ben ----- Original Message ----- From: "Dan Cech" To: "NYPHP Talk" Sent: Thursday, September 20, 2007 1:10 PM Subject: Re: [nycphp-talk] Craigslist Integration > anan tette-tawia wrote: >> Has anyone developed a system that integrated with Craigslist housing >> and apartments portal before. My client is a real estate agent who >> wants to be able to upload new property info onto his site and then >> have it also posted on craigslist if he checks a particular button. >> >> The problem is that i have been doing researching on finding any such >> API or document that explains how to achieve this type of integration >> with craigslist without much success. I would greatly appreciate any >> assistance from this list. > > I think you will find that there is no documentation because this kind > of thing is expressly forbidden by the Craigslist Terms of Use. > >> y) use any form of automated device or computer program that enables the >> submission of postings on craigslist without each posting being manually >> entered by the author thereof (an "automated posting device"), including >> without limitation, the use of any such automated posting device to >> submit >> postings in bulk, or for automatic submission of postings at regular >> intervals. > > http://www.craigslist.org/about/terms.of.use.html#conduct > > Dan > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php From tomsartain at gmail.com Thu Sep 20 15:04:57 2007 From: tomsartain at gmail.com (Tom Sartain) Date: Thu, 20 Sep 2007 15:04:57 -0400 Subject: [nycphp-talk] Craigslist Integration In-Reply-To: <46F2A96B.8030402@phpwerx.net> References: <46F2A96B.8030402@phpwerx.net> Message-ID: <20190d950709201204q6b07226vabd0c1c80181cf8f@mail.gmail.com> Actually, it seems like the case could be made that this does not go against their TOS (or at least, the segment you copied). It seems that this would simply post on Craigslist whatever the user posted on their own site.. and only by opt in. Seems like each posting would be entered manually (albeit, in a non-Craigslist site), and each would be submitted only once, so it's not like they would be submitted in bulk, or at any interval. So just based off of the quote Dan gave, it doesn't seem to be against their TOS. As to the technical side of things, and the original question, you could use the cURL library to send a POST over to the Craigslist form handler. If you're using Firefox, you could use the excellent LiveHTTPHeaders extension to see what variables are being posted when the form is submitted on Craigslist, then work that in with the rest of your script using cURL. Hope that made sense, and it should get you a step in the right direction. On 9/20/07, Dan Cech wrote: > > > I think you will find that there is no documentation because this kind > of thing is expressly forbidden by the Craigslist Terms of Use. > > > y) use any form of automated device or computer program that enables the > > submission of postings on craigslist without each posting being manually > > entered by the author thereof (an "automated posting device"), including > > without limitation, the use of any such automated posting device to > submit > > postings in bulk, or for automatic submission of postings at regular > intervals. > > http://www.craigslist.org/about/terms.of.use.html#conduct > > Dan > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ioplex at gmail.com Fri Sep 21 11:27:05 2007 From: ioplex at gmail.com (Michael B Allen) Date: Fri, 21 Sep 2007 11:27:05 -0400 Subject: [nycphp-talk] array_get_value? Message-ID: <78c6bd860709210827h35f8c5a3w670947824b495de4@mail.gmail.com> Hey, I find myself doing a lot of: if (isset($data['foo'])) // use $data['foo'] Is there an existing array function that gets the array value or returns a default value like: function array_get_value($arr, $key, $def) { return array_key_exists($arr, $key) ? $arr[$key] : $def; } ? Mike From ken at secdat.com Fri Sep 21 11:45:25 2007 From: ken at secdat.com (Kenneth Downs) Date: Fri, 21 Sep 2007 11:45:25 -0400 Subject: [nycphp-talk] array_get_value? In-Reply-To: <78c6bd860709210827h35f8c5a3w670947824b495de4@mail.gmail.com> References: <78c6bd860709210827h35f8c5a3w670947824b495de4@mail.gmail.com> Message-ID: <46F3E715.40700@secdat.com> I wrote my own as one of my very first PHP library functions. It's extremely useful for writing simple and clean code, like: $state = ArrayValue($_POST,'state','NY'); Then you need one in javascript: function getProperty(object,property,defvalue) { defvalue = defvalue==null ? '' : defvalue; if(object == null) return defvalue if(typeof(object[property])=='undefined') return defvalue; else return object[property]; } Michael B Allen wrote: > Hey, > > I find myself doing a lot of: > > if (isset($data['foo'])) > // use $data['foo'] > > Is there an existing array function that gets the array value or > returns a default value like: > > function array_get_value($arr, $key, $def) { > return array_key_exists($arr, $key) ? $arr[$key] : $def; > } > > ? > > Mike > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 From ioplex at gmail.com Fri Sep 21 13:14:50 2007 From: ioplex at gmail.com (Michael B Allen) Date: Fri, 21 Sep 2007 13:14:50 -0400 Subject: [nycphp-talk] array_get_value? In-Reply-To: <46F3E715.40700@secdat.com> References: <78c6bd860709210827h35f8c5a3w670947824b495de4@mail.gmail.com> <46F3E715.40700@secdat.com> Message-ID: <78c6bd860709211014r26bcff73q42e0d29db075297b@mail.gmail.com> On 9/21/07, Kenneth Downs wrote: > > $state = ArrayValue($_POST,'state','NY'); Theres a mistake in your code. It should be: $state = ArrayValue($_POST,'state','NJ'); :-) Mike From bz-gmort at beezifies.com Fri Sep 21 15:01:38 2007 From: bz-gmort at beezifies.com (Gary Mort) Date: Fri, 21 Sep 2007 15:01:38 -0400 Subject: [nycphp-talk] Re: [joomla] Sphinx search In-Reply-To: <330532b60709210919x509678eep1a42e409740e61a3@mail.gmail.com> References: <46F3B50C.6030203@beezifies.com> <330532b60709210919x509678eep1a42e409740e61a3@mail.gmail.com> Message-ID: <46F41512.3040006@beezifies.com> Mitch Pirtle wrote: > I'd love to see some sort of joomla<->sphinx integration, that one > might be worth creating a project for on JoomlaCode. To be honest > though I'm not sure how you would integrate the two, as they are quite > separate and distinct beasts ;-) Well, I've been fixing some code that does searches of data in a Joomla component(AdsManager), which also comes with a really messy mambot to plug into the regular Joomla search. The default searches are really really bad(price fields can be searched for EXACT price, not ranges). So I started looking at how to make that advanced search mode a bit more friendly, when I ran across Sphinx and looking at it, it has every advanced search function I would want. Since all you need from your search result is an id number and the component it is in, it seems to me Sphinx could be easily integrated with a server side search, so the server checks the Sphinx system based on the parms, and returns a bunch of data, than back to the Joomla MVC component to format the display of the data. I have a good idea of how to integrate my component with Sphinx. And I see how to do the Joomla content component. The big problem I was looking at was how to make it painless to integrate everything else? Something that would take all the search Plugins installed for each component, and build out the Sphinx index(though worst case, I think that can be handled just by saying "hey, here is a neat tool if you want to write yet ANOTHER search module") The only downside I saw with it was requiring a server to run the daemon on(yeah, I'm a shared hosting guy. I just don't have the time to deal with the hassle of setting up, configuring, and securing a server these days. Other than periodic refreshes on my MythTV/router I don't worry about it much.) Still, it would be a fun project to work on, providing I can find someone who wants to handle the headache of maintaining a linux server. :-) From paulcheung at tiscali.co.uk Fri Sep 21 15:47:28 2007 From: paulcheung at tiscali.co.uk (PaulCheung) Date: Fri, 21 Sep 2007 20:47:28 +0100 Subject: [nycphp-talk] MySQL Monitor V PHP & MySQL Message-ID: <008001c7fc88$3e086d80$0200a8c0@X9183> I have researched, checked and tried everything I can think of and still cannot get it to work. when using MySQL monitor the following works ================================= SELECT access_code FROM authorised_users WHEN user_id = 'Nancy' AND user_password = 'qwerty' AND account = '48572998'; Access_code is displayed = 11966552 When using PHP & MySQL ($userid='Nancy', $user_password='qwerty', $account='48572998') ==================== auth
"); echo ("password = " . $password . "
"); echo ("account = " . $account . "
"); echo ("self = " . $self . "
"); /* VALIDATE FOR BLANK INPUT FIELD */ if( ( !$userid ) or ( !$password ) or (!$account) ) { header( "Location:$referer" ); exit(); } /*CONNECT TO MYSQL */ $conn=@mysql_connect( "localhost", "paul", "enter" ) or die( "Could not connect" ); /* CONNECT TO DATABASE */ $rs = @mysql_select_db( "test_db", $conn ) or die( "Could not select database" ); $rs = @mysql_select_db( "test_db", $conn ) or die( "Could not select database" ); $sql = "SELECT access_code FROM authorised_users user_id = '$userid' AND user_password = '$password' AND account = '$account'"; $rs = mysql_query( $sql, $conn ) or die( "Could not execute query" ); $num = mysql_numrows( $rs ); if( $num != 0 ) { $access_code = access_code; echo ("testcheckpoint - Welcome - your log-in succeeded!" . "
"); echo ("testcheckpoint - accesscode = " . access_code . "
"); echo ('testcheckpoint - $accesscode = ' . $access_code . "
"); } else { echo (" test checkpoint statement 55 " . "
"); header( "Location:$referer" ); exit(); } =========================================== this is what is returned from the test user id = Nancy password = qwerty account = 48572998 self = /tp_orth.php conn = Resource id #2 sql = SELECT access_code FROM authorised_users WHERE user_id = 'Nancy' AND user_password = 'qwerty' AND account = '48572998' access = 0 Welcome - your log-in succeeded! testcheckpoint - accesscode = access_code testcheckpoint - $accesscode = access_code I am trying to get the Access_code and cannot see what I am doing wrong P From kenneth at ylayali.net Fri Sep 21 16:03:35 2007 From: kenneth at ylayali.net (Kenneth Dombrowski) Date: Fri, 21 Sep 2007 16:03:35 -0400 Subject: [nycphp-talk] MySQL Monitor V PHP & MySQL In-Reply-To: <008001c7fc88$3e086d80$0200a8c0@X9183> References: <008001c7fc88$3e086d80$0200a8c0@X9183> Message-ID: <20070921200335.GO17734@ylayali.net> Hi Paul, On 07-09-21 20:47 +0100, PaulCheung wrote: > $access_code = $access_code - $access_code; i don't understand what your intent is with the above line.. setting $access_code to 0? (it's not your problem, i am just curious) > $rs = mysql_query( $sql, $conn ) or die( "Could not execute query" ); > > $num = mysql_numrows( $rs ); > > if( $num != 0 ) > { $access_code = access_code; the above line looks to me like $access_code is being assigned the value of the undefined constant access_code, which php will assume is intended to be the string 'access_code' i think you want $access_code = $rs['access_code'] From danielc at analysisandsolutions.com Fri Sep 21 16:33:39 2007 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Fri, 21 Sep 2007 16:33:39 -0400 Subject: [nycphp-talk] AJAX and State In-Reply-To: <46F0F069.3000206@metalab.unc.edu> References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu> <46E12D4A.2010204@secdat.com> <46E12F93.4040700@metalab.unc.edu> <46E132B0.9010400@secdat.com> <46E138C2.3040307@metalab.unc.edu> <20070912214433.GA11305@panix.com> <46F0F069.3000206@metalab.unc.edu> Message-ID: <20070921203338.GA9970@panix.com> Hi Elliotte: On Wed, Sep 19, 2007 at 05:48:25AM -0400, Elliotte Harold wrote: > > However the fundamental principle is that full auth data must be sent > with each request. > > Breaking that rule is going to cost you big time when you need to scale > an application. Basic and Digest auth are slow when it comes to dealing with large user bases. They also increase insecurity, particularly when working over non-encrypted connections. Plus I don't like the idea of keeping authentication information in the browser. Sure, session id's introduce security pitfalls such as session hijacking, but that seems less ominous to me than giving out your user name and password on each request. > It very well may introduce single points of failure into > your app. You can architect around those, but only at the cost of doing > a lot more work with a lot more machines than you would have had to do > if your app had followed the design of HTTP instead of working against it. How is using a session id cookie "working against" the design of HTTP? --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From bz-gmort at beezifies.com Fri Sep 21 16:42:30 2007 From: bz-gmort at beezifies.com (Gary Mort) Date: Fri, 21 Sep 2007 16:42:30 -0400 Subject: [nycphp-talk] Re: [joomla] Sphinx search In-Reply-To: <46F41512.3040006@beezifies.com> References: <46F3B50C.6030203@beezifies.com> <330532b60709210919x509678eep1a42e409740e61a3@mail.gmail.com> <46F41512.3040006@beezifies.com> Message-ID: <46F42CB6.9080209@beezifies.com> Opps, wrong list. Sorry. From michael.southwell at nyphp.com Fri Sep 21 19:41:29 2007 From: michael.southwell at nyphp.com (Michael Southwell) Date: Fri, 21 Sep 2007 19:41:29 -0400 Subject: [nycphp-talk] MySQL Monitor V PHP & MySQL In-Reply-To: <008001c7fc88$3e086d80$0200a8c0@X9183> References: <008001c7fc88$3e086d80$0200a8c0@X9183> Message-ID: <20070921194129.hrl1k96k0s8kcs4g@webmail.nyphp.com> Quoting PaulCheung : > I have researched, checked and tried everything I can think of and > still cannot get it to work. > SELECT access_code FROM authorised_users WHEN I am not familiar with WHEN but that could be my own ignorance > $rs = @mysql_select_db( "test_db", $conn ) > or die( "Could not select database" ); > > $rs = @mysql_select_db( "test_db", $conn ) or die( "Could not select > database" ); This line is doubled but that is not your problem. > > $sql = "SELECT access_code > FROM authorised_users > user_id = '$userid' AND This is the reason that you are getting different results: you left out the WHEN that you had above (unless this is not an accurate representation of your code); whether WHEN is a legitimate keyword is a different issue. -- Michael Southwell Vice President, Education NYPHP TRAINING http://nyphp.com/training/indepth From elharo at metalab.unc.edu Sat Sep 22 08:19:01 2007 From: elharo at metalab.unc.edu (Elliotte Harold) Date: Sat, 22 Sep 2007 08:19:01 -0400 Subject: [nycphp-talk] AJAX and State In-Reply-To: <20070921203338.GA9970@panix.com> References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu> <46E12D4A.2010204@secdat.com> <46E12F93.4040700@metalab.unc.edu> <46E132B0.9010400@secdat.com> <46E138C2.3040307@metalab.unc.edu> <20070912214433.GA11305@panix.com> <46F0F069.3000206@metalab.unc.edu> <20070921203338.GA9970@panix.com> Message-ID: <46F50835.3050505@metalab.unc.edu> Daniel Convissor wrote: > Basic and Digest auth are slow when it comes to dealing with large user > bases. I've seen no evidence of that whatsoever. > They also increase insecurity, particularly when working over > non-encrypted connections. For basic I'd use encrypted connections only. Digest is fine in the "clear". > Plus I don't like the idea of keeping > authentication information in the browser. Tough. That's being done anyway. > Sure, session id's introduce security pitfalls such as session hijacking, > but that seems less ominous to me than giving out your user name and > password on each request. Only basic really gives out user name and password info one each request. Digest never passes the password at all. And there are other schemes. >> It very well may introduce single points of failure into >> your app. You can architect around those, but only at the cost of doing >> a lot more work with a lot more machines than you would have had to do >> if your app had followed the design of HTTP instead of working against it. > > How is using a session id cookie "working against" the design of HTTP? > Because HTTP is explicitly designed to be stateless and sessionless. See, for example, Sam Ruby's RESTful Web Services. -- Elliotte Rusty Harold elharo at metalab.unc.edu Java I/O 2nd Edition Just Published! http://www.cafeaulait.org/books/javaio2/ http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/ From ken at secdat.com Sat Sep 22 08:43:58 2007 From: ken at secdat.com (Kenneth Downs) Date: Sat, 22 Sep 2007 08:43:58 -0400 Subject: [nycphp-talk] AJAX and State In-Reply-To: <46F50835.3050505@metalab.unc.edu> References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu> <46E12D4A.2010204@secdat.com> <46E12F93.4040700@metalab.unc.edu> <46E132B0.9010400@secdat.com> <46E138C2.3040307@metalab.unc.edu> <20070912214433.GA11305@panix.com> <46F0F069.3000206@metalab.unc.edu> <20070921203338.GA9970@panix.com> <46F50835.3050505@metalab.unc.edu> Message-ID: <46F50E0E.2020302@secdat.com> Elliotte Harold wrote: >> Plus I don't like the idea of keeping authentication information in >> the browser. > > Tough. That's being done anyway. > True, but we need a better answer than that. Can you explain what mechanisms are storing the passwords, and why no additional weakness has been introduced? -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 From ramons at gmx.net Sat Sep 22 09:01:55 2007 From: ramons at gmx.net (David Krings) Date: Sat, 22 Sep 2007 09:01:55 -0400 Subject: [nycphp-talk] MySQL Monitor V PHP & MySQL In-Reply-To: <20070921194129.hrl1k96k0s8kcs4g@webmail.nyphp.com> References: <008001c7fc88$3e086d80$0200a8c0@X9183> <20070921194129.hrl1k96k0s8kcs4g@webmail.nyphp.com> Message-ID: <46F51243.9090804@gmx.net> Michael Southwell wrote: > Quoting PaulCheung : > >> I have researched, checked and tried everything I can think of and >> still cannot get it to work. > >> SELECT access_code FROM authorised_users WHEN > > I am not familiar with WHEN but that could be my own ignorance > >> $rs = @mysql_select_db( "test_db", $conn ) >> or die( "Could not select database" ); >> >> $rs = @mysql_select_db( "test_db", $conn ) or die( "Could not select >> database" ); > > This line is doubled but that is not your problem. > >> >> $sql = "SELECT access_code >> FROM authorised_users >> user_id = '$userid' AND > > This is the reason that you are getting different results: you left out > the WHEN that you had above (unless this is not an accurate > representation of your code); whether WHEN is a legitimate keyword is a > different issue. > AFAIK that WHEN should be a WHERE. Also, the one ID is put in single quotes within the query. Better is sth like this if in case IDs are integers $sql = "SELECT access_code FROM authorised_users WHERE user_id = ".$userid." AND .... Not that this is the reason for failure, but I found it somewhat difficult to follow the code as there are absolutely no comments. Add commentary, at least one comment per two lines of code. That helps to understand what you are doing and what the steps are, even for something basic like this. David From danielc at analysisandsolutions.com Sat Sep 22 10:19:42 2007 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Sat, 22 Sep 2007 10:19:42 -0400 Subject: [nycphp-talk] AJAX and State In-Reply-To: <46F50835.3050505@metalab.unc.edu> References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu> <46E12D4A.2010204@secdat.com> <46E12F93.4040700@metalab.unc.edu> <46E132B0.9010400@secdat.com> <46E138C2.3040307@metalab.unc.edu> <20070912214433.GA11305@panix.com> <46F0F069.3000206@metalab.unc.edu> <20070921203338.GA9970@panix.com> <46F50835.3050505@metalab.unc.edu> Message-ID: <20070922141942.GA17164@panix.com> Hi Elliotte: On Sat, Sep 22, 2007 at 08:19:01AM -0400, Elliotte Harold wrote: > > For basic I'd use encrypted connections only. Digest is fine in the > "clear". No HTTP auth method is okay in the clear. Digest sends an MD5 hash as the token. While that doesn't tell me what your password is, unless I figure it out via a reverse lookup database, I can just forge my request headers to include the hash itself. > >Plus I don't like the idea of keeping > >authentication information in the browser. > > Tough. That's being done anyway. Depends on what the user's settings are. > >How is using a session id cookie "working against" the design of HTTP? > > Because HTTP is explicitly designed to be stateless and sessionless. > See, for example, Sam Ruby's RESTful Web Services. Passing your user name and password on each request is no different than passing a session ID on each request. They both indicate who you are. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From rick at click-rick.net Sat Sep 22 10:57:20 2007 From: rick at click-rick.net (Rick Retzko) Date: Sat, 22 Sep 2007 10:57:20 -0400 Subject: [nycphp-talk] MySQL Monitor V PHP & MySQL In-Reply-To: <008001c7fc88$3e086d80$0200a8c0@X9183> References: <008001c7fc88$3e086d80$0200a8c0@X9183> Message-ID: <006201c7fd28$e1141f60$6600a8c0@adam> Two errors that I can find: 1. You're missing the 'WHERE' key word in your SQL: $sql = "SELECT access_code FROM authorised_users user_id = '$userid' AND user_password = '$password' AND account = '$account'"; should be: $sql = "SELECT access_code FROM authorised_users WHERE user_id = '$userid' AND user_password = '$password' AND account = '$account'"; 2. Your mysql_num_rows is misspelled (Yours is mysql_numrows) making the subsequent 'if' statement FALSE. Hope this helps Rick -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of PaulCheung Sent: Friday, September 21, 2007 3:47 PM To: talk at lists.nyphp.org Subject: [nycphp-talk] MySQL Monitor V PHP & MySQL I have researched, checked and tried everything I can think of and still cannot get it to work. when using MySQL monitor the following works ================================= SELECT access_code FROM authorised_users WHEN user_id = 'Nancy' AND user_password = 'qwerty' AND account = '48572998'; Access_code is displayed = 11966552 When using PHP & MySQL ($userid='Nancy', $user_password='qwerty', $account='48572998') ==================== auth "); echo ("password = " . $password . "
"); echo ("account = " . $account . "
"); echo ("self = " . $self . "
"); /* VALIDATE FOR BLANK INPUT FIELD */ if( ( !$userid ) or ( !$password ) or (!$account) ) { header( "Location:$referer" ); exit(); } /*CONNECT TO MYSQL */ $conn=@mysql_connect( "localhost", "paul", "enter" ) or die( "Could not connect" ); /* CONNECT TO DATABASE */ $rs = @mysql_select_db( "test_db", $conn ) or die( "Could not select database" ); $rs = @mysql_select_db( "test_db", $conn ) or die( "Could not select database" ); $sql = "SELECT access_code FROM authorised_users user_id = '$userid' AND user_password = '$password' AND account = '$account'"; $rs = mysql_query( $sql, $conn ) or die( "Could not execute query" ); $num = mysql_numrows( $rs ); if( $num != 0 ) { $access_code = access_code; echo ("testcheckpoint - Welcome - your log-in succeeded!" . "
"); echo ("testcheckpoint - accesscode = " . access_code . "
"); echo ('testcheckpoint - $accesscode = ' . $access_code . "
"); } else { echo (" test checkpoint statement 55 " . "
"); header( "Location:$referer" ); exit(); } =========================================== this is what is returned from the test user id = Nancy password = qwerty account = 48572998 self = /tp_orth.php conn = Resource id #2 sql = SELECT access_code FROM authorised_users WHERE user_id = 'Nancy' AND user_password = 'qwerty' AND account = '48572998' access = 0 Welcome - your log-in succeeded! testcheckpoint - accesscode = access_code testcheckpoint - $accesscode = access_code I am trying to get the Access_code and cannot see what I am doing wrong P _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php From paulcheung at tiscali.co.uk Sat Sep 22 11:49:46 2007 From: paulcheung at tiscali.co.uk (PaulCheung) Date: Sat, 22 Sep 2007 16:49:46 +0100 Subject: [nycphp-talk] MySQL Monitor V PHP & MySQL References: <008001c7fc88$3e086d80$0200a8c0@X9183> <7fb2405d0709211328y4f3d3536x881a83391bc2c274@mail.gmail.com> Message-ID: <004101c7fd30$33470b60$0200a8c0@X9183> Sorry everybody it was a typing error when assembling the email. The "WHEN" should have been "WHERE". I did use the "WHERE" when testing using MySQL Monitor and the statement $sql = "SELECT access_code FROM authorised_users (WHERE ) user_id = '$userid' AND user_password = '$password' AND account = '$account'"; also had the missing WHERE in during testing but once again it was a typing error when assembling the email. Sorry about that. ----- Original Message ----- From: P. Ju (???) To: NYPHP Talk ; paulcheung at tiscali.co.uk Sent: Friday, September 21, 2007 9:28 PM Subject: Re: [nycphp-talk] MySQL Monitor V PHP & MySQL Err, actually ignore the previous. However, where's your WHERE ? $sql = "SELECT access_code FROM authorised_users user_id = '$userid' AND user_password = '$password' AND account = '$account'"; You're missing a "WHERE" and in your MySQLMonitor statement, you typed WHEN. ?? I don't use that tool, but is that valid? Patricia On 9/21/07, PaulCheung wrote: I have researched, checked and tried everything I can think of and still cannot get it to work. when using MySQL monitor the following works ================================= SELECT access_code FROM authorised_users WHEN user_id = 'Nancy' AND user_password = 'qwerty' AND account = '48572998'; Access_code is displayed = 11966552 When using PHP & MySQL ($userid='Nancy', $user_password='qwerty', $account='48572998') ==================== auth "); echo ("password = " . $password . "
"); echo ("account = " . $account . "
"); echo ("self = " . $self . "
"); /* VALIDATE FOR BLANK INPUT FIELD */ if( ( !$userid ) or ( !$password ) or (!$account) ) { header( "Location:$referer" ); exit(); } /*CONNECT TO MYSQL */ $conn=@mysql_connect( "localhost", "paul", "enter" ) or die( "Could not connect" ); /* CONNECT TO DATABASE */ $rs = @mysql_select_db( "test_db", $conn ) or die( "Could not select database" ); $rs = @mysql_select_db( "test_db", $conn ) or die( "Could not select database" ); $sql = "SELECT access_code FROM authorised_users user_id = '$userid' AND user_password = '$password' AND account = '$account'"; $rs = mysql_query( $sql, $conn ) or die( "Could not execute query" ); $num = mysql_numrows( $rs ); if( $num != 0 ) { $access_code = access_code; echo ("testcheckpoint - Welcome - your log-in succeeded!" . "
"); echo ("testcheckpoint - accesscode = " . access_code . "
"); echo ('testcheckpoint - $accesscode = ' . $access_code . "
"); } else { echo (" test checkpoint statement 55 " . "
"); header( "Location:$referer" ); exit(); } =========================================== this is what is returned from the test user id = Nancy password = qwerty account = 48572998 self = /tp_orth.php conn = Resource id #2 sql = SELECT access_code FROM authorised_users WHERE user_id = 'Nancy' AND user_password = 'qwerty' AND account = '48572998' access = 0 Welcome - your log-in succeeded! testcheckpoint - accesscode = access_code testcheckpoint - $accesscode = access_code I am trying to get the Access_code and cannot see what I am doing wrong P _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php -- Patricia Ju phj at pobox.com +1-646-717-3871 success = f(perseverance) -------------- next part -------------- An HTML attachment was scrubbed... URL: From paulcheung at tiscali.co.uk Sat Sep 22 11:52:09 2007 From: paulcheung at tiscali.co.uk (PaulCheung) Date: Sat, 22 Sep 2007 16:52:09 +0100 Subject: [nycphp-talk] MySQL Monitor V PHP & MySQL References: <008001c7fc88$3e086d80$0200a8c0@X9183> <20070921194129.hrl1k96k0s8kcs4g@webmail.nyphp.com> Message-ID: <004701c7fd30$89444a00$0200a8c0@X9183> Hello Michael, Sorry, I was trying to make the statement more readable by putting the WHERE and AND at the end of the line rather than at the beginning and unconsciously mixed in to the email COBOL, where its' SELECT statement does use WHEN, my apologies. Here is the actual statement used which didn't work and it still does not, for me at least. $sql = "SELECT access_code FROM authorised_users WHERE user_id = '$userid' AND user_password = '$password' AND account = '$account'"; This is what I was expecting (from MySQL Monitor) and got mysql> use test_db; Database changed mysql> select access_code from authorised_users where user_id = 'Nancy' and use_password = 'qwerty' and account = '48572998'; +-------------+ | access_code | +-------------+ | 11966552 | +-------------+ 1 row in set (0.00 sec) This is what I got from (PHP MySQL) sql = SELECT access_code FROM authorised_users WHERE user_id = 'Nancy' AND user_password = 'qwerty' AND account = '48572998'; Welcome - your log-in succeeded! accesscode = access_code $accesscode = access_code I was expecting '11966552' Paul ----- Original Message ----- From: "Michael Southwell" To: Sent: Saturday, September 22, 2007 12:41 AM Subject: Re: [nycphp-talk] MySQL Monitor V PHP & MySQL > Quoting PaulCheung : > >> I have researched, checked and tried everything I can think of and >> still cannot get it to work. > >> SELECT access_code FROM authorised_users WHEN > > I am not familiar with WHEN but that could be my own ignorance > >> $rs = @mysql_select_db( "test_db", $conn ) >> or die( "Could not select database" ); >> >> $rs = @mysql_select_db( "test_db", $conn ) or die( "Could not select >> database" ); > > This line is doubled but that is not your problem. > >> >> $sql = "SELECT access_code >> FROM authorised_users >> user_id = '$userid' AND > > This is the reason that you are getting different results: you left out > the WHEN that you had above (unless this is not an accurate > representation of your code); whether WHEN is a legitimate keyword is a > different issue. > > -- > Michael Southwell > Vice President, Education > NYPHP TRAINING http://nyphp.com/training/indepth > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php From paulcheung at tiscali.co.uk Sat Sep 22 11:52:59 2007 From: paulcheung at tiscali.co.uk (PaulCheung) Date: Sat, 22 Sep 2007 16:52:59 +0100 Subject: [nycphp-talk] MySQL Monitor V PHP & MySQL References: <008001c7fc88$3e086d80$0200a8c0@X9183> <20070921200335.GO17734@ylayali.net> Message-ID: <004801c7fd30$a6981230$0200a8c0@X9183> Hi Ken, The $access_code = $access_code - $access_code; is just an prehistoric programming technique. By the way the solution you proposed did not work; But the access_code is now blank I would be most grateful for any other suggestions. ser id = Nancy password = qwerty account = 48572998 self = /tp_orth.php conn = Resource id #2 sql = SELECT access_code FROM authorised_users WHERE user_id = 'Nancy' AND user_password = 'qwerty' AND account = '48572998' Welcome - your log-in succeeded! access_code = $access_code = Paul ----- Original Message ----- From: "Kenneth Dombrowski" To: Sent: Friday, September 21, 2007 9:03 PM Subject: Re: [nycphp-talk] MySQL Monitor V PHP & MySQL > > Hi Paul, > > On 07-09-21 20:47 +0100, PaulCheung wrote: >> $access_code = $access_code - $access_code; > > i don't understand what your intent is with the above line.. setting > $access_code to 0? (it's not your problem, i am just curious) > >> $rs = mysql_query( $sql, $conn ) or die( "Could not execute query" ); >> >> $num = mysql_numrows( $rs ); >> >> if( $num != 0 ) >> { $access_code = access_code; > > the above line looks to me like $access_code is being assigned the value > of the undefined constant access_code, which php will assume is intended > to be the string 'access_code' > > i think you want $access_code = $rs['access_code'] > > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php From paulcheung at tiscali.co.uk Sat Sep 22 12:20:46 2007 From: paulcheung at tiscali.co.uk (PaulCheung) Date: Sat, 22 Sep 2007 17:20:46 +0100 Subject: [nycphp-talk] MySQL Monitor V PHP & MySQL References: <008001c7fc88$3e086d80$0200a8c0@X9183> <006201c7fd28$e1141f60$6600a8c0@adam> Message-ID: <004e01c7fd34$882102e0$0200a8c0@X9183> Hi everybody I have implemented all the suggested changes and still cannot get it to work maybe it is time to just hand over the code to see if anybody can see what I am doing wrong. What I am trying to do is get the value of ACCESS_CODE Paul ----- Original Message ----- From: "Rick Retzko" To: "'NYPHP Talk'" Sent: Saturday, September 22, 2007 3:57 PM Subject: RE: [nycphp-talk] MySQL Monitor V PHP & MySQL > Two errors that I can find: > > 1. You're missing the 'WHERE' key word in your SQL: $sql = "SELECT > access_code > FROM authorised_users > user_id = '$userid' AND > user_password = '$password' AND > account = '$account'"; > should be: > $sql = "SELECT access_code > FROM authorised_users > WHERE user_id = '$userid' AND > user_password = '$password' AND > account = '$account'"; > > 2. Your mysql_num_rows is misspelled (Yours is mysql_numrows) making the > subsequent 'if' statement FALSE. > > Hope this helps > > > Rick > > -----Original Message----- > From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] > On > Behalf Of PaulCheung > Sent: Friday, September 21, 2007 3:47 PM > To: talk at lists.nyphp.org > Subject: [nycphp-talk] MySQL Monitor V PHP & MySQL > > I have researched, checked and tried everything I can think of and still > cannot get it to work. > > when using MySQL monitor the following works > ================================= > > SELECT access_code FROM authorised_users WHEN user_id = 'Nancy' AND > user_password = 'qwerty' AND account = '48572998'; > > Access_code is displayed = 11966552 > > When using PHP & MySQL ($userid='Nancy', $user_password='qwerty', > $account='48572998') > ==================== > > auth > $userid = $_POST['user']; > $password = $_POST['passcode']; > $account = $_POST['account']; > $self = $_SERVER['PHP_SELF']; > $referer = $_SERVER['HTTP_REFERER']; > $access_code = $access_code - $access_code; > > /* FOR TEST ONLY */ > echo ("user id = " . $userid . "
"); > echo ("password = " . $password . "
"); echo ("account = " . $account > . > "
"); echo ("self = " . $self . "
"); > > /* VALIDATE FOR BLANK INPUT FIELD */ > if( ( !$userid ) or ( !$password ) or (!$account) ) { header( > "Location:$referer" ); exit(); } /*CONNECT TO MYSQL */ > $conn=@mysql_connect( "localhost", "paul", "enter" ) > or die( "Could not connect" ); > /* CONNECT TO DATABASE */ > $rs = @mysql_select_db( "test_db", $conn ) > or die( "Could not select database" ); > > $rs = @mysql_select_db( "test_db", $conn ) or die( "Could not select > database" ); > > $sql = "SELECT access_code > FROM authorised_users > user_id = '$userid' AND > user_password = '$password' AND > account = '$account'"; > > $rs = mysql_query( $sql, $conn ) or die( "Could not execute query" ); > > $num = mysql_numrows( $rs ); > > if( $num != 0 ) > { $access_code = access_code; > echo ("testcheckpoint - Welcome - your log-in succeeded!" . "
"); > echo ("testcheckpoint - accesscode = " . access_code . "
"); > echo ('testcheckpoint - $accesscode = ' . $access_code . "
"); } else > { echo (" test checkpoint statement 55 " . "
"); > header( "Location:$referer" ); > exit(); } > > =========================================== > this is what is returned from the test > > user id = Nancy > password = qwerty > account = 48572998 > self = /tp_orth.php > conn = Resource id #2 > sql = SELECT access_code FROM authorised_users WHERE user_id = 'Nancy' AND > user_password = 'qwerty' AND account = '48572998' > access = 0 > Welcome - your log-in succeeded! > testcheckpoint - accesscode = access_code testcheckpoint - $accesscode = > access_code > > I am trying to get the Access_code and cannot see what I am doing wrong > > P > > > > > > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: innerguard.txt URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: orth.txt URL: From elharo at metalab.unc.edu Sat Sep 22 12:23:21 2007 From: elharo at metalab.unc.edu (Elliotte Harold) Date: Sat, 22 Sep 2007 12:23:21 -0400 Subject: [nycphp-talk] AJAX and State In-Reply-To: <46F50E0E.2020302@secdat.com> References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu> <46E12D4A.2010204@secdat.com> <46E12F93.4040700@metalab.unc.edu> <46E132B0.9010400@secdat.com> <46E138C2.3040307@metalab.unc.edu> <20070912214433.GA11305@panix.com> <46F0F069.3000206@metalab.unc.edu> <20070921203338.GA9970@panix.com> <46F50835.3050505@metalab.unc.edu> <46F50E0E.2020302@secdat.com> Message-ID: <46F54179.6040506@metalab.unc.edu> Kenneth Downs wrote: > True, but we need a better answer than that. > > Can you explain what mechanisms are storing the passwords, and why no > additional weakness has been introduced? > The issue here is really one of psychology and usability. A poorly usable authentication system will cause users to route around it, for example by always using the same password, by choosing easily remembered passwords, by writing them down on Post-it notes stuck to their monitors, or all of the above. The theoretical strength of authentication systems is irrelevant in the face of user counter-measures such as these. Only systems that take users into account will be secure in the real world. Usability is not a sufficient condition for secure authentication, but it is a necessary one. Given the wealth of passwords users are expected to remember in order to participate in the Web, the only plausibly usable system for managing client password lists that maintains some level of security is single sign-on. Server-based single sign-on systems have failed because no standard centralized repository has been established. Thus the only choice is to place this repository on the client. (I suspect that would still be the right answer even if one of the server based systems had succeeded, but the point is moot because none did.) The vast majority of users will only accept such a system if it is actually easier to use than pen and paper. The only such system is the one that doesn't require the user to do any extra work. That means the browser itself (or a plug-in integrated into the browser) remembers the password. EVERYTHING ELSE THAT HAS BEEN TRIED TO DATE HAS FAILED. NO EXCEPTIONS. Now assuming you're willing to work under those constraints, you can make the browser repository a little stronger. You can use better encryption for the password store. You can make sure that the memory area in which the browser stores its passwords is promptly zeroed out after use. And you can play a few other tricks that don't affect the user experience. But that's about it. A browser-based password store is the most secure authentication system devised to date. In practice, everything else that has been tried has been less secure. I suspect we're not going to improve on this state of affairs until we move away from usernames and passwords completely. -- Elliotte Rusty Harold elharo at metalab.unc.edu Java I/O 2nd Edition Just Published! http://www.cafeaulait.org/books/javaio2/ http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/ From danielc at analysisandsolutions.com Sat Sep 22 12:54:44 2007 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Sat, 22 Sep 2007 12:54:44 -0400 Subject: [nycphp-talk] AJAX and State In-Reply-To: <46F54179.6040506@metalab.unc.edu> References: <46E12D4A.2010204@secdat.com> <46E12F93.4040700@metalab.unc.edu> <46E132B0.9010400@secdat.com> <46E138C2.3040307@metalab.unc.edu> <20070912214433.GA11305@panix.com> <46F0F069.3000206@metalab.unc.edu> <20070921203338.GA9970@panix.com> <46F50835.3050505@metalab.unc.edu> <46F50E0E.2020302@secdat.com> <46F54179.6040506@metalab.unc.edu> Message-ID: <20070922165444.GA24751@panix.com> On Sat, Sep 22, 2007 at 12:23:21PM -0400, Elliotte Harold wrote: > > Thus the only > choice is to place this repository on the client. > ... snip ... > That means the > browser itself (or a plug-in integrated into the browser) remembers the > password. > > EVERYTHING ELSE THAT HAS BEEN TRIED TO DATE HAS FAILED. NO EXCEPTIONS. Except having a password store on one's computer that's separate from the browser. There are several pieces of software that do this. My technique is to store password information in a GPG encrypted text file. Of course, this isn't a technique the masses would be able to handle. > A browser-based password store is the most secure authentication system > devised to date. No, it's not. We're really diverging from PHP here, so this is the last posting I'll make in this thread. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From elharo at metalab.unc.edu Sat Sep 22 13:09:32 2007 From: elharo at metalab.unc.edu (Elliotte Harold) Date: Sat, 22 Sep 2007 13:09:32 -0400 Subject: [nycphp-talk] AJAX and State In-Reply-To: <20070922165444.GA24751@panix.com> References: <46E12D4A.2010204@secdat.com> <46E12F93.4040700@metalab.unc.edu> <46E132B0.9010400@secdat.com> <46E138C2.3040307@metalab.unc.edu> <20070912214433.GA11305@panix.com> <46F0F069.3000206@metalab.unc.edu> <20070921203338.GA9970@panix.com> <46F50835.3050505@metalab.unc.edu> <46F50E0E.2020302@secdat.com> <46F54179.6040506@metalab.unc.edu> <20070922165444.GA24751@panix.com> Message-ID: <46F54C4C.2010100@metalab.unc.edu> Daniel Convissor wrote: > Except having a password store on one's computer that's separate from the > browser. There are several pieces of software that do this. If that's integrated with the browser, sure. However if it's not, it's too complicated. Opening a separate app, typing in its password, then copying and pasting the username and password into the browser is too much trouble. Even Bruce Schneier, inventor of PasswordSafe among other things, stores his passwords on a little piece of paper in his wallet! http://www.theregister.co.uk/2005/07/19/password_schneier/ I reiterate: browser-based password stores are the most secure solution yet devised. -- Elliotte Rusty Harold elharo at metalab.unc.edu Java I/O 2nd Edition Just Published! http://www.cafeaulait.org/books/javaio2/ http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/ From rick at click-rick.net Sat Sep 22 14:26:51 2007 From: rick at click-rick.net (Rick Retzko) Date: Sat, 22 Sep 2007 14:26:51 -0400 Subject: [nycphp-talk] MySQL Monitor V PHP & MySQL In-Reply-To: <004e01c7fd34$882102e0$0200a8c0@X9183> References: <008001c7fc88$3e086d80$0200a8c0@X9183><006201c7fd28$e1141f60$6600a8c0@adam> <004e01c7fd34$882102e0$0200a8c0@X9183> Message-ID: <000c01c7fd46$2684e490$6600a8c0@adam> Paul - Maybe this is a typo as well, but "$access_code = access_code;" ? What are you trying to do here? My recommendation is that you add an 'echo "Access Code: $access_code";' before and after this line to confirm that you're getting what you think you should be getting. Best Regards - Rick ============ -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of PaulCheung Sent: Saturday, September 22, 2007 12:21 PM To: NYPHP Talk Subject: Re: [nycphp-talk] MySQL Monitor V PHP & MySQL Hi everybody I have implemented all the suggested changes and still cannot get it to work maybe it is time to just hand over the code to see if anybody can see what I am doing wrong. What I am trying to do is get the value of ACCESS_CODE Paul ----- Original Message ----- From: "Rick Retzko" To: "'NYPHP Talk'" Sent: Saturday, September 22, 2007 3:57 PM Subject: RE: [nycphp-talk] MySQL Monitor V PHP & MySQL > Two errors that I can find: > > 1. You're missing the 'WHERE' key word in your SQL: $sql = "SELECT > access_code > FROM authorised_users > user_id = '$userid' AND > user_password = '$password' AND > account = '$account'"; > should be: > $sql = "SELECT access_code > FROM authorised_users > WHERE user_id = '$userid' AND > user_password = '$password' AND > account = '$account'"; > > 2. Your mysql_num_rows is misspelled (Yours is mysql_numrows) making the > subsequent 'if' statement FALSE. > > Hope this helps > > > Rick > > -----Original Message----- > From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] > On > Behalf Of PaulCheung > Sent: Friday, September 21, 2007 3:47 PM > To: talk at lists.nyphp.org > Subject: [nycphp-talk] MySQL Monitor V PHP & MySQL > > I have researched, checked and tried everything I can think of and still > cannot get it to work. > > when using MySQL monitor the following works > ================================= > > SELECT access_code FROM authorised_users WHEN user_id = 'Nancy' AND > user_password = 'qwerty' AND account = '48572998'; > > Access_code is displayed = 11966552 > > When using PHP & MySQL ($userid='Nancy', $user_password='qwerty', > $account='48572998') > ==================== > > auth > $userid = $_POST['user']; > $password = $_POST['passcode']; > $account = $_POST['account']; > $self = $_SERVER['PHP_SELF']; > $referer = $_SERVER['HTTP_REFERER']; > $access_code = $access_code - $access_code; > > /* FOR TEST ONLY */ > echo ("user id = " . $userid . "
"); > echo ("password = " . $password . "
"); echo ("account = " . $account > . > "
"); echo ("self = " . $self . "
"); > > /* VALIDATE FOR BLANK INPUT FIELD */ > if( ( !$userid ) or ( !$password ) or (!$account) ) { header( > "Location:$referer" ); exit(); } /*CONNECT TO MYSQL */ > $conn=@mysql_connect( "localhost", "paul", "enter" ) > or die( "Could not connect" ); > /* CONNECT TO DATABASE */ > $rs = @mysql_select_db( "test_db", $conn ) > or die( "Could not select database" ); > > $rs = @mysql_select_db( "test_db", $conn ) or die( "Could not select > database" ); > > $sql = "SELECT access_code > FROM authorised_users > user_id = '$userid' AND > user_password = '$password' AND > account = '$account'"; > > $rs = mysql_query( $sql, $conn ) or die( "Could not execute query" ); > > $num = mysql_numrows( $rs ); > > if( $num != 0 ) > { $access_code = access_code; > echo ("testcheckpoint - Welcome - your log-in succeeded!" . "
"); > echo ("testcheckpoint - accesscode = " . access_code . "
"); > echo ('testcheckpoint - $accesscode = ' . $access_code . "
"); } else > { echo (" test checkpoint statement 55 " . "
"); > header( "Location:$referer" ); > exit(); } > > =========================================== > this is what is returned from the test > > user id = Nancy > password = qwerty > account = 48572998 > self = /tp_orth.php > conn = Resource id #2 > sql = SELECT access_code FROM authorised_users WHERE user_id = 'Nancy' AND > user_password = 'qwerty' AND account = '48572998' > access = 0 > Welcome - your log-in succeeded! > testcheckpoint - accesscode = access_code testcheckpoint - $accesscode = > access_code > > I am trying to get the Access_code and cannot see what I am doing wrong > > P > > > > > > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php From ken at secdat.com Sat Sep 22 14:26:29 2007 From: ken at secdat.com (Kenneth Downs) Date: Sat, 22 Sep 2007 14:26:29 -0400 Subject: [nycphp-talk] AJAX and State In-Reply-To: <46F54179.6040506@metalab.unc.edu> References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu> <46E12D4A.2010204@secdat.com> <46E12F93.4040700@metalab.unc.edu> <46E132B0.9010400@secdat.com> <46E138C2.3040307@metalab.unc.edu> <20070912214433.GA11305@panix.com> <46F0F069.3000206@metalab.unc.edu> <20070921203338.GA9970@panix.com> <46F50835.3050505@metalab.unc.edu> <46F50E0E.2020302@secdat.com> <46F54179.6040506@metalab.unc.edu> Message-ID: <46F55E55.7060808@secdat.com> Elliotte Harold wrote: > Kenneth Downs wrote: > >> True, but we need a better answer than that. >> >> Can you explain what mechanisms are storing the passwords, and why no >> additional weakness has been introduced? >> > > The issue here is really one of psychology and usability. A poorly > usable authentication system will cause users to route around it, for > example by always using the same password, by choosing easily > remembered passwords, by writing them down on Post-it notes stuck to > their monitors, or all of the above. The theoretical strength of > authentication systems is irrelevant in the face of user > counter-measures such as these. > > > A browser-based password store is the most secure authentication > system devised to date. In practice, everything else that has been > tried has been less secure. I suspect we're not going to improve on > this state of affairs until we move away from usernames and passwords > completely. > Well you've convinced me. Technically there is nothing really to the issue of changing the PHP code. However, this leaves the issue of what we are telling customers, if anything. The conversation we ought to have with the customer is all about what type of single sign-on the users are using. But, methinks most programmers instead are having a conversation about their own efforts in handling passwords, which is misleading and irrelevant. -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 From lists at zaunere.com Sat Sep 22 14:29:36 2007 From: lists at zaunere.com (Hans Zaunere) Date: Sat, 22 Sep 2007 14:29:36 -0400 Subject: [nycphp-talk] Integration Strategies Message-ID: <04d601c7fd46$87858100$671ba8c0@MobileZ> Hello all, A recent presentation suggestion was on the topic of integration. For instance, taking the best of breed CMS, calendar and shopping cart application and getting them to cross-connect. Namely, for user authentication, authorization and management. There is no single solution that I am aware of, but typical strategies include the following: -- custom code to glue these different items together, on a case-by-case basis -- starting out with a framework of sorts and using moodules built for it. The framework then provides the integration. So I'd like to begin a discussion on what others have done to address these challenges. Additionally, we can use the points raised for a future presentation. I'd like to set one meeting aside where 4-5 speakers provide 10-15 minute case studies on solutions/strategies they've used as solutions to these challenges. --- Hans Zaunere / President / New York PHP www.nyphp.org / www.nyphp.com From ramons at gmx.net Sat Sep 22 15:06:31 2007 From: ramons at gmx.net (David Krings) Date: Sat, 22 Sep 2007 15:06:31 -0400 Subject: [nycphp-talk] MySQL Monitor V PHP & MySQL In-Reply-To: <004701c7fd30$89444a00$0200a8c0@X9183> References: <008001c7fc88$3e086d80$0200a8c0@X9183> <20070921194129.hrl1k96k0s8kcs4g@webmail.nyphp.com> <004701c7fd30$89444a00$0200a8c0@X9183> Message-ID: <46F567B7.2020000@gmx.net> PaulCheung wrote: > Hello Michael, > > Sorry, I was trying to make the statement more readable by putting the > WHERE and AND at the end of the line rather than at the beginning and > unconsciously mixed in to the email COBOL, where its' SELECT statement does > use WHEN, my apologies. Here is the actual statement used which didn't work > and it still does not, for me at least. Aha, so, the code posted isn't a 1:1 copy of the code you try to run? I do not know COBOL, but the SELECT statement is SQL and it doesn't matter which programming language you use to send SQL to the db engine. David From urb at e-government.com Sat Sep 22 17:06:00 2007 From: urb at e-government.com (Urb LeJeune) Date: Sat, 22 Sep 2007 17:06:00 -0400 Subject: [nycphp-talk] MTA commands In-Reply-To: <6C575279-D00B-4FA7-8110-244C91B41431@gmail.com> References: <6C575279-D00B-4FA7-8110-244C91B41431@gmail.com> Message-ID: <7.0.1.0.2.20070922170003.02b25808@e-government.com> Does anyone have any experience with MTA commands being injected in a forms input fields which are exploited by spammers? In case there was one bogus email address in the To: field and then many multiple email address (coma separated) which all received the same message. Although anti-spamming code would be great I'm also looking for ideas or suggestions. Urb Urb Dr. Urban A. LeJeune, President E-Government.com 800-204-9545 From rolan at omnistep.com Sat Sep 22 17:20:42 2007 From: rolan at omnistep.com (Rolan Yang) Date: Sat, 22 Sep 2007 17:20:42 -0400 Subject: [nycphp-talk] MTA commands In-Reply-To: <7.0.1.0.2.20070922170003.02b25808@e-government.com> References: <6C575279-D00B-4FA7-8110-244C91B41431@gmail.com> <7.0.1.0.2.20070922170003.02b25808@e-government.com> Message-ID: <46F5872A.3090602@omnistep.com> Urb LeJeune wrote: > Does anyone have any experience with MTA commands being > injected in a forms input fields which are exploited by spammers? In > case there was one bogus email address in the To: field and then > many multiple email address (coma separated) which all received the > same message. > > Although anti-spamming code would be great I'm also looking > for ideas or suggestions. > > Urb > Urb > > Dr. Urban A. LeJeune, President > E-Government.com > 800-204-9545 > We had a discussion on this a few years back. Check out http://www.nyphp.org/phundamentals/email_header_injection.php From preinheimer at gmail.com Sat Sep 22 19:17:26 2007 From: preinheimer at gmail.com (Paul Reinheimer) Date: Sat, 22 Sep 2007 19:17:26 -0400 Subject: [nycphp-talk] addslashes vs mysql_escape_string() Message-ID: <6ec19ec70709221617k4a7fa326j8a5ec7f9a78afdf7@mail.gmail.com> Hey List, I was reading http://nyphp.org/phundamentals/storingretrieving.php, and i was a bit unsure about some of the characters listed as being escaped, and did some research. I think that we're listing a few characters as being escaped on that page that actually aren't escaped by the funciton. I've posted what I found here http://blog.preinheimer.com/index.php?/archives/247-addslashes-vs-mysql_escape_string.html If I'm wrong, please let me know, but I couldn't find any reference to some of those characters in the C source, or in my own tests. paul -- Paul Reinheimer Zend Certified Engineer -------------- next part -------------- An HTML attachment was scrubbed... URL: From ramons at gmx.net Sat Sep 22 19:25:43 2007 From: ramons at gmx.net (David Krings) Date: Sat, 22 Sep 2007 19:25:43 -0400 Subject: [nycphp-talk] MTA commands In-Reply-To: <7.0.1.0.2.20070922170003.02b25808@e-government.com> References: <6C575279-D00B-4FA7-8110-244C91B41431@gmail.com> <7.0.1.0.2.20070922170003.02b25808@e-government.com> Message-ID: <46F5A477.90908@gmx.net> Urb LeJeune wrote: > (coma separated) Amazing that one letter can make such a difference. ;) David From lists at zaunere.com Sat Sep 22 19:50:30 2007 From: lists at zaunere.com (Hans Zaunere) Date: Sat, 22 Sep 2007 19:50:30 -0400 Subject: [nycphp-talk] addslashes vs mysql_escape_string() In-Reply-To: <6ec19ec70709221617k4a7fa326j8a5ec7f9a78afdf7@mail.gmail.com> References: <6ec19ec70709221617k4a7fa326j8a5ec7f9a78afdf7@mail.gmail.com> Message-ID: <05d701c7fd73$5c3593f0$671ba8c0@MobileZ> Hi Paul, Paul Reinheimer wrote on Saturday, September 22, 2007 7:17 PM: > Hey List, > > I was reading http://nyphp.org/phundamentals/storingretrieving.php, > and i was a bit unsure about some of the characters listed > as being escaped, and did some research. I think that we're listing a > few characters as being escaped on that page that > actually aren't escaped by the funciton. I've posted what I found > here > http://blog.preinheimer.com/index.php?/archives/247-addslashes-vs-mysql_esca pe_string.html > > > If I'm wrong, please let me know, but I couldn't find any reference > to some of those characters in the C source, or in my > own tests. In the section of the article I think you're addressing, we talked about what characters MySQL considers special in strings; that is, having special meaning. This includes the backspace and tab, per their documentation: http://dev.mysql.com/doc/refman/5.0/en/string-syntax.html They may or may not be escaped, but they do have special meaning to the database which is why a database aware escape function should always be used, vs a generic function like addslashes. End of the day, it's not about what characters are actually escaped - it's that the function you're using to escape is aware of the string's destination. Maybe this is where the confusion is. --- Hans Zaunere / President / New York PHP www.nyphp.org / www.nyphp.com From urb at e-government.com Sun Sep 23 09:21:47 2007 From: urb at e-government.com (Urb LeJeune) Date: Sun, 23 Sep 2007 09:21:47 -0400 Subject: [nycphp-talk] MTA commands In-Reply-To: <46F5A477.90908@gmx.net> References: <6C575279-D00B-4FA7-8110-244C91B41431@gmail.com> <7.0.1.0.2.20070922170003.02b25808@e-government.com> <46F5A477.90908@gmx.net> Message-ID: <7.0.1.0.2.20070923092108.031608c8@e-government.com> >>(coma separated) > >Amazing that one letter can make such a difference. ;) At my age the difference between a day-dreaming and a coma is quite small :-) Urb Dr. Urban A. LeJeune, President E-Government.com 800-204-9545 From urb at e-government.com Sun Sep 23 10:04:30 2007 From: urb at e-government.com (Urb LeJeune) Date: Sun, 23 Sep 2007 10:04:30 -0400 Subject: [nycphp-talk] Header Injection In-Reply-To: <46F5872A.3090602@omnistep.com> References: <6C575279-D00B-4FA7-8110-244C91B41431@gmail.com> <7.0.1.0.2.20070922170003.02b25808@e-government.com> <46F5872A.3090602@omnistep.com> Message-ID: <7.0.1.0.2.20070923095731.02b399e0@e-government.com> >We had a discussion on this a few years back. >Check out http://www.nyphp.org/phundamentals/email_header_injection.php This is a wonderful tutorial, thank you for pointing it out. I've made one little addition to the filtering after submit code. $FormVariables = ($_POST) ? $_POST : $_GET; foreach( $FormVariables as $value ){...stuff } Since most forms use post and URL encoded variables are get this alleviates the need to have two different functions. Urb Dr. Urban A. LeJeune, President E-Government.com 800-204-9545 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ben at projectskyline.com Sun Sep 23 23:54:53 2007 From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine)) Date: Sun, 23 Sep 2007 23:54:53 -0400 Subject: [nycphp-talk] [OT] Authorize.net & banks. Message-ID: <003401c7fe5e$aa16a460$6b01a8c0@c500> Hello, Maybe I am missing someting, but I've looked on Authorize.net's website a lot, used google, and can't seem to find the answer to: Which banks work with authorize.net? Do all banks work w/the service? Does anyone know where to find such info. I attempted to call authorize.net twice and the wait both times was over 30m. Thanks. - Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailinglists at caseysoftware.com Sun Sep 23 12:10:36 2007 From: mailinglists at caseysoftware.com (Keith Casey) Date: Sun, 23 Sep 2007 12:10:36 -0400 Subject: [nycphp-talk] [OT] Authorize.net & banks. In-Reply-To: <003401c7fe5e$aa16a460$6b01a8c0@c500> References: <003401c7fe5e$aa16a460$6b01a8c0@c500> Message-ID: On 9/23/07, Ben Sgro (ProjectSkyLine) wrote: > Which banks work with authorize.net? Do all banks work w/the service? > Does anyone know where to find such info. I might be a bit off in the terminology, but there are three players in the process. * First, there's your bank where you should have a Business Checking account. I used Wachovia when I set mine up in Jan 2005. I think any Business Checking account should work, but supposedly personal accounts do not. * Then there's Authorize.net which is the payment gateway/processor (incorrect term?). Your customers put their CC info there. * Finally, between them is another bank which handles the transaction between Authorize.net and your bank. They do the deposits, etc. I did mine with Wells Fargo. Shop around on rates - the discount rate is their cut. Dating sites will lose more (6+%) while established businesses are usually much less (2-3%). I got 2.19% when I did mine. And carefully watch your chargebacks. kc -- D. Keith Casey Jr. CEO, CaseySoftware, LLC http://CaseySoftware.com From ben at projectskyline.com Mon Sep 24 00:20:06 2007 From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine)) Date: Mon, 24 Sep 2007 00:20:06 -0400 Subject: [nycphp-talk] [OT] Authorize.net & banks. References: <003401c7fe5e$aa16a460$6b01a8c0@c500> Message-ID: <003c01c7fe62$30215750$6b01a8c0@c500> Hello Keith, Good points. From the authorize.net online info, my understanding is that: http://www.authorize.net/support/csfaqs/#142133 #9 The Credit Card Interchange System passes the appropriate funds for the transaction to the Acquiring Bank. I guess I'm not clear on who that is, and how to set that up. I know my client has a merchant account with Soveirgn Bank. My client is a 35 year old business, so I'm sure they have good rates. So we want Authorize.net to transfer the funds to Soveirgn when the CC charge is completed. Any further info? - Ben ----- Original Message ----- From: "Keith Casey" To: "NYPHP Talk" Sent: Sunday, September 23, 2007 12:10 PM Subject: Re: [nycphp-talk] [OT] Authorize.net & banks. > On 9/23/07, Ben Sgro (ProjectSkyLine) wrote: >> Which banks work with authorize.net? Do all banks work w/the service? >> Does anyone know where to find such info. > > I might be a bit off in the terminology, but there are three players > in the process. > * First, there's your bank where you should have a Business Checking > account. I used Wachovia when I set mine up in Jan 2005. I think any > Business Checking account should work, but supposedly personal > accounts do not. > * Then there's Authorize.net which is the payment gateway/processor > (incorrect term?). Your customers put their CC info there. > * Finally, between them is another bank which handles the transaction > between Authorize.net and your bank. They do the deposits, etc. I > did mine with Wells Fargo. > > Shop around on rates - the discount rate is their cut. Dating sites > will lose more (6+%) while established businesses are usually much > less (2-3%). I got 2.19% when I did mine. And carefully watch your > chargebacks. > > kc > > -- > D. Keith Casey Jr. > CEO, CaseySoftware, LLC > http://CaseySoftware.com > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php From lists at zaunere.com Sun Sep 23 12:40:11 2007 From: lists at zaunere.com (Hans Zaunere) Date: Sun, 23 Sep 2007 12:40:11 -0400 Subject: [nycphp-talk] [OT] Authorize.net & banks. In-Reply-To: <003c01c7fe62$30215750$6b01a8c0@c500> References: <003401c7fe5e$aa16a460$6b01a8c0@c500> <003c01c7fe62$30215750$6b01a8c0@c500> Message-ID: <091a01c7fe00$68b66ef0$671ba8c0@MobileZ> Ben Sgro (ProjectSkyLine) wrote on Monday, September 24, 2007 12:20 AM: > Hello Keith, > > Good points. From the authorize.net online info, my understanding is > that: > http://www.authorize.net/support/csfaqs/#142133 > > #9 The Credit Card Interchange System passes the appropriate funds > for the transaction to the Acquiring Bank. > > I guess I'm not clear on who that is, and how to set that up. I know > my client has a merchant > account with Soveirgn Bank. My client is a 35 year old business, so > I'm sure they have > good rates. > > So we want Authorize.net to transfer the funds to Soveirgn when the CC > charge is completed. This is always a brilliantly confusing topic, but as I understand it... -- you have a business checking account (let's say with Soveirgn) -- you get a merchant account (with your bank like Soveirgn, or somewhere else) -- your merchant account generally picks the gateway (like authorize.net) to use There might be some more options, but typically the gateway (authorize.net) doesn't do much with the money. They just authorize the card and do the capture. If things are kosher, then they tell your merchant account to initiate the transfer from the user's card to your merchant account. Once things settle at the end of the day, it gets transferred to your business checking account. Generally the best bet that I've seen is to talk to your bank (the one where you can write checks from). They typically will provide merchant services, and generally have the better rates. Going through third-parties and smaller middleman can be troublesome. I just had a meeting the other night with a couple guys who wrote their own gateway (like authorize.net). The number of middle-men was astonishing. Someone like Authorize.net doesn't actually talk to the credit card companies... they need to talk to another layer of networks. It's not until another apparent two to three layers of network, that finally the credit card companies themselves get hit. Mix in the different types of credit cards, international banks, and the required support of course for standard POS terminals, it's amazing it works quite frankly. H From cliff at pinestream.com Sun Sep 23 14:51:59 2007 From: cliff at pinestream.com (Cliff Hirsch) Date: Sun, 23 Sep 2007 14:51:59 -0400 Subject: [nycphp-talk] [OT] Authorize.net & banks. In-Reply-To: <003c01c7fe62$30215750$6b01a8c0@c500> Message-ID: > I guess I'm not clear on who that is, and how to set that up. I know my > client has a merchant > account with Soveirgn Bank. My client is a 35 year old business, so I'm sure > they have > good rates. > > So we want Authorize.net to transfer the funds to Soveirgn when the CC > charge is completed. If Soverign also serves as the payment processor and issues your client a merchant account #. Most brick and mortar banks will also serve as payment processors with the usual higher than market rates that brick and mortar banks usually have. There are lots or payments processors. If you google the term, you will see a zillion listings. Understand that most if these are ISOs -- yet another layer of complexity. An ISO (independent service organization) is just a sales rep for a merchant bank. Easiest way is to either get a merchant # through the client's bank or through the shopping cart provider you will be using. Just get it -- don't worry about rates unless you have a very low margin biz. The quoted rate is B.S. anyway. Ideally you want a cost+plus rate, meaning Interchange + the processors markup (typically 25 cents) + the gateway fee, which is usually 5-10cents per transaction. But for symplicity, just get it and don't worry. From mailinglists at caseysoftware.com Sun Sep 23 15:15:59 2007 From: mailinglists at caseysoftware.com (Keith Casey) Date: Sun, 23 Sep 2007 15:15:59 -0400 Subject: [nycphp-talk] [OT] Authorize.net & banks. In-Reply-To: References: <003c01c7fe62$30215750$6b01a8c0@c500> Message-ID: On 9/23/07, Cliff Hirsch wrote: > Easiest way is to either get a merchant # through the client's bank or > through the shopping cart provider you will be using. Just get it -- don't > worry about rates unless you have a very low margin biz. The quoted rate is > B.S. anyway. Ideally you want a cost+plus rate, meaning Interchange + the > processors markup (typically 25 cents) + the gateway fee, which is usually > 5-10cents per transaction. But for symplicity, just get it and don't worry. True... the more dangerous thing is the chargeback rate. Some processors, if you hit a certain % of chargebacks (in terms of dollar amount), they usually have the right to cut you off immediately. If the company has a long history with the provider, the % will probably be higher. I seem to remember 5% as a common number... A chargeback is when someone talks to their cc company and requests the charge to be removed. The cc company will immediately issue a refund, the processor will immediately issue a refund, and your account will be debited the amount. I was working with a dating site that got cutoff about 4 days before Christmas, it took them 2 weeks to get back online. kc -- D. Keith Casey Jr. CEO, CaseySoftware, LLC http://CaseySoftware.com From jay_nyphp2 at fastmail.fm Sun Sep 23 21:25:25 2007 From: jay_nyphp2 at fastmail.fm (Jay Sheth) Date: Sun, 23 Sep 2007 21:25:25 -0400 Subject: [nycphp-talk] next meeting Message-ID: <1190597125.11226.1212184739@webmail.messagingengine.com> Hi, I've not been to the meetings in a while, and was just wondering if the next meeting is on Sept 25th, or on October 23rd (like the website says). Thanks. Regards, - Jay From lists at zaunere.com Mon Sep 24 08:09:01 2007 From: lists at zaunere.com (Hans Zaunere) Date: Mon, 24 Sep 2007 08:09:01 -0400 Subject: [nycphp-talk] next meeting In-Reply-To: <1190597125.11226.1212184739@webmail.messagingengine.com> References: <1190597125.11226.1212184739@webmail.messagingengine.com> Message-ID: <0dd801c7fea3$b18fbca0$671ba8c0@MobileZ> Hi Jay, > I've not been to the meetings in a while, and was just wondering if > the next meeting is on Sept 25th, or on October 23rd (like the website > says). Our next meeting will be Oct. 23rd at IBM. We're also working on a holiday party (see http://www.nytchp.com for the 2004 event) on Dec. 13th. H From jay_nyphp2 at fastmail.fm Mon Sep 24 12:11:26 2007 From: jay_nyphp2 at fastmail.fm (Jay Sheth) Date: Mon, 24 Sep 2007 12:11:26 -0400 Subject: [nycphp-talk] next meeting Message-ID: <1190650286.24270.1212304087@webmail.messagingengine.com> Hi Hans, thanks for the note. I will be there for the next meeting in October. The holiday part is a great idea - I went to one several years ago. Regards, - Jay From czech at npgroup.net Mon Sep 24 16:52:19 2007 From: czech at npgroup.net (Pete Czech - New Possibilities Group, LLC) Date: Mon, 24 Sep 2007 16:52:19 -0400 Subject: [nycphp-talk] [OT] Authorize.net & banks. In-Reply-To: <003c01c7fe62$30215750$6b01a8c0@c500> References: <003401c7fe5e$aa16a460$6b01a8c0@c500> <003c01c7fe62$30215750$6b01a8c0@c500> Message-ID: <46F82383.7090108@npgroup.net> (long time lurker, occasional poster) That is how it works. I have an account with Authorize - they capture the transaction. Then they send it to my merchant account, say, wells fargo, who in turn takes the money and transfers to my checking account. Authorize just runs the authorization and then sends the money to the merchant account bank. Kinda confusing but it works without hiccup. Of course, the fees do add up. When I signed up with wells fargo, i got authorize for free. Maybe they still do this but this was years ago. pjc Ben Sgro (ProjectSkyLine) wrote: > Hello Keith, > > Good points. From the authorize.net online info, my understanding is > that: > http://www.authorize.net/support/csfaqs/#142133 > > #9 The Credit Card Interchange System passes the appropriate funds for > the transaction to the Acquiring Bank. > > I guess I'm not clear on who that is, and how to set that up. I know > my client has a merchant > account with Soveirgn Bank. My client is a 35 year old business, so > I'm sure they have > good rates. > > So we want Authorize.net to transfer the funds to Soveirgn when the CC > charge is completed. > > Any further info? > > - Ben > > > ----- Original Message ----- From: "Keith Casey" > > To: "NYPHP Talk" > Sent: Sunday, September 23, 2007 12:10 PM > Subject: Re: [nycphp-talk] [OT] Authorize.net & banks. > > >> On 9/23/07, Ben Sgro (ProjectSkyLine) wrote: >>> Which banks work with authorize.net? Do all banks work w/the service? >>> Does anyone know where to find such info. >> >> I might be a bit off in the terminology, but there are three players >> in the process. >> * First, there's your bank where you should have a Business Checking >> account. I used Wachovia when I set mine up in Jan 2005. I think any >> Business Checking account should work, but supposedly personal >> accounts do not. >> * Then there's Authorize.net which is the payment gateway/processor >> (incorrect term?). Your customers put their CC info there. >> * Finally, between them is another bank which handles the transaction >> between Authorize.net and your bank. They do the deposits, etc. I >> did mine with Wells Fargo. >> >> Shop around on rates - the discount rate is their cut. Dating sites >> will lose more (6+%) while established businesses are usually much >> less (2-3%). I got 2.19% when I did mine. And carefully watch your >> chargebacks. >> >> kc >> >> -- >> D. Keith Casey Jr. >> CEO, CaseySoftware, LLC >> http://CaseySoftware.com >> _______________________________________________ >> New York PHP Community Talk Mailing List >> http://lists.nyphp.org/mailman/listinfo/talk >> >> NYPHPCon 2006 Presentations Online >> http://www.nyphpcon.com >> >> Show Your Participation in New York PHP >> http://www.nyphp.org/show_participation.php > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > -- Pete Czech Lead Guru New Possibilities Group, LLC http://npgroup.net 973.931.8283 AIM: PJCzech From ben at projectskyline.com Mon Sep 24 17:39:17 2007 From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine)) Date: Mon, 24 Sep 2007 17:39:17 -0400 Subject: [nycphp-talk] [OT] Authorize.net & banks. References: <003401c7fe5e$aa16a460$6b01a8c0@c500> <003c01c7fe62$30215750$6b01a8c0@c500> <46F82383.7090108@npgroup.net> Message-ID: <4a8e01c7fef3$5c95d5e0$6401a8c0@gamebox> Hello Pete, Thanks, that's my understanding of it now. I spoke to authorize.net this AM and they cleared it all up. We are going to use them and wells fargo as our merchant service provider and they can deposit the funds into my clients bank. > Of course, the fees do add up. Yeah, the fees are about $2.75 per $100.00. - Ben ----- Original Message ----- From: "Pete Czech - New Possibilities Group, LLC" To: "NYPHP Talk" Sent: Monday, September 24, 2007 4:52 PM Subject: Re: [nycphp-talk] [OT] Authorize.net & banks. > (long time lurker, occasional poster) > > That is how it works. I have an account with Authorize - they capture > the transaction. Then they send it to my merchant account, say, wells > fargo, who in turn takes the money and transfers to my checking > account. Authorize just runs the authorization and then sends the money > to the merchant account bank. Kinda confusing but it works without > hiccup. Of course, the fees do add up. > > When I signed up with wells fargo, i got authorize for free. Maybe they > still do this but this was years ago. > > pjc > > Ben Sgro (ProjectSkyLine) wrote: >> Hello Keith, >> >> Good points. From the authorize.net online info, my understanding is >> that: >> http://www.authorize.net/support/csfaqs/#142133 >> >> #9 The Credit Card Interchange System passes the appropriate funds for >> the transaction to the Acquiring Bank. >> >> I guess I'm not clear on who that is, and how to set that up. I know >> my client has a merchant >> account with Soveirgn Bank. My client is a 35 year old business, so >> I'm sure they have >> good rates. >> >> So we want Authorize.net to transfer the funds to Soveirgn when the CC >> charge is completed. >> >> Any further info? >> >> - Ben >> >> >> ----- Original Message ----- From: "Keith Casey" >> >> To: "NYPHP Talk" >> Sent: Sunday, September 23, 2007 12:10 PM >> Subject: Re: [nycphp-talk] [OT] Authorize.net & banks. >> >> >>> On 9/23/07, Ben Sgro (ProjectSkyLine) wrote: >>>> Which banks work with authorize.net? Do all banks work w/the service? >>>> Does anyone know where to find such info. >>> >>> I might be a bit off in the terminology, but there are three players >>> in the process. >>> * First, there's your bank where you should have a Business Checking >>> account. I used Wachovia when I set mine up in Jan 2005. I think any >>> Business Checking account should work, but supposedly personal >>> accounts do not. >>> * Then there's Authorize.net which is the payment gateway/processor >>> (incorrect term?). Your customers put their CC info there. >>> * Finally, between them is another bank which handles the transaction >>> between Authorize.net and your bank. They do the deposits, etc. I >>> did mine with Wells Fargo. >>> >>> Shop around on rates - the discount rate is their cut. Dating sites >>> will lose more (6+%) while established businesses are usually much >>> less (2-3%). I got 2.19% when I did mine. And carefully watch your >>> chargebacks. >>> >>> kc >>> >>> -- >>> D. Keith Casey Jr. >>> CEO, CaseySoftware, LLC >>> http://CaseySoftware.com >>> _______________________________________________ >>> New York PHP Community Talk Mailing List >>> http://lists.nyphp.org/mailman/listinfo/talk >>> >>> NYPHPCon 2006 Presentations Online >>> http://www.nyphpcon.com >>> >>> Show Your Participation in New York PHP >>> http://www.nyphp.org/show_participation.php >> >> _______________________________________________ >> New York PHP Community Talk Mailing List >> http://lists.nyphp.org/mailman/listinfo/talk >> >> NYPHPCon 2006 Presentations Online >> http://www.nyphpcon.com >> >> Show Your Participation in New York PHP >> http://www.nyphp.org/show_participation.php >> > > -- > > Pete Czech > Lead Guru > New Possibilities Group, LLC > http://npgroup.net > > 973.931.8283 > AIM: PJCzech > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php From ben at projectskyline.com Mon Sep 24 18:37:13 2007 From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine)) Date: Mon, 24 Sep 2007 18:37:13 -0400 Subject: [nycphp-talk] [OT] PHP IDS & Web Application Security Message-ID: <4aba01c7fefb$74b8e830$6401a8c0@gamebox> Hello All, I thought some might find this interesting. A PHP based IDS for web apps. I played around with it on the site and seems pretty cool. FROM THE SITE: PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user's session. The creators maintain a .xml with regex signatures used for detcting XSS, SQL, etc attacks. I've seen one site in the wild that's using it to protect itself. It makes me wonder though, as more of these solutions emerge, will we see less security conscious coding? http://php-ids.org/news/ - Ben I recently finished a security audit and pen test for a client. I couldn't believe the problems they had. They found a developer off CL and with his impressive portfolio decided to work with him. Now my firm, 8 months later, is fixing all the developers mistakes. They had cookie based auth, file upload exploits, xss, sql injection, ... you name it we could do it. Anyways, its just sad to see these types of moonlight coders calling themselves developers and doing an awful jobs at writing software and leaving their clients exposed. -------------- next part -------------- An HTML attachment was scrubbed... URL: From arzala at gmail.com Tue Sep 25 00:10:37 2007 From: arzala at gmail.com (Anirudh Zala) Date: Tue, 25 Sep 2007 09:40:37 +0530 Subject: [nycphp-talk] Integration Strategies In-Reply-To: <04d601c7fd46$87858100$671ba8c0@MobileZ> References: <04d601c7fd46$87858100$671ba8c0@MobileZ> Message-ID: <200709250940.38042.arzala@gmail.com> On Saturday 22 Sep 2007 23:59:36 Hans Zaunere wrote: > Hello all, > > A recent presentation suggestion was on the topic of integration. For > instance, taking the best of breed CMS, calendar and shopping cart > application and getting them to cross-connect. Namely, for user > authentication, authorization and management. > > There is no single solution that I am aware of, but typical strategies > include the following: > > -- custom code to glue these different items together, on a case-by-case > basis > > -- starting out with a framework of sorts and using moodules built for it. > The framework then provides the integration. - Detailed study: Normally it requires to study each application to find out whether it behaves in different way when used without parent framework or not. Some application works best when they are part of parent application/framework but may not work as expected in custom environment. - Changing code: Additionally it also requires to change the application itself. But changes depends upon requirements of integration and complexity of code of application. - Security concern: Some sort of custom code to be designed to check whether there has occurred any kind of security holes due to integration of various application or not. Thanks Anirudh Zala > > So I'd like to begin a discussion on what others have done to address these > challenges. > > Additionally, we can use the points raised for a future presentation. I'd > like to set one meeting aside where 4-5 speakers provide 10-15 minute case > studies on solutions/strategies they've used as solutions to these > challenges. > > --- > Hans Zaunere / President / New York PHP > www.nyphp.org / www.nyphp.com > > > > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php From ioplex at gmail.com Tue Sep 25 02:29:50 2007 From: ioplex at gmail.com (Michael B Allen) Date: Tue, 25 Sep 2007 02:29:50 -0400 Subject: [nycphp-talk] Integration Strategies In-Reply-To: <04d601c7fd46$87858100$671ba8c0@MobileZ> References: <04d601c7fd46$87858100$671ba8c0@MobileZ> Message-ID: <78c6bd860709242329q19520a51l8545c30dd577d266@mail.gmail.com> On 9/22/07, Hans Zaunere wrote: > > Hello all, > > A recent presentation suggestion was on the topic of integration. For > instance, taking the best of breed CMS, calendar and shopping cart > application and getting them to cross-connect. Namely, for user > authentication, authorization and management. > > There is no single solution that I am aware of, but typical strategies > include the following: > > -- custom code to glue these different items together, on a case-by-case > basis > > -- starting out with a framework of sorts and using moodules built for it. > The framework then provides the integration. Hi Hans, It really would be a boon if there were some kind of PHP standards like Java's Servlet API and JAAS (minus the bloat). I fear that's the only way you're going to get good realiable interop of components. I've done SPNEGO auth plugins for MediaWiki, SugarCRM, and Joomla! 1.5 and they were all suprisingly different (in some cases it simply wasn't possible - Joomla! 1.0 didn't have the necessary hooks). It seems apps tend build auth around the idea of a username and password but we're doing SSO which usually doesn't even have access to a password. Authorization is even harder. The application must use one method to address and handle a resource being protected. We had page ACLs for MediaWiki but we recently ripped it out because MW quite simply wasn't designed to protect content by name or action. Users could access the same content through a variety of different methods. Mike From mitch.pirtle at gmail.com Tue Sep 25 11:51:46 2007 From: mitch.pirtle at gmail.com (Mitch Pirtle) Date: Tue, 25 Sep 2007 11:51:46 -0400 Subject: [nycphp-talk] [OT] PHP IDS & Web Application Security In-Reply-To: <4aba01c7fefb$74b8e830$6401a8c0@gamebox> References: <4aba01c7fefb$74b8e830$6401a8c0@gamebox> Message-ID: <330532b60709250851n39fb7ea1nef55c0c750de19bf@mail.gmail.com> On 9/24/07, Ben Sgro (ProjectSkyLine) wrote: > > I recently finished a security audit and pen test for a client. I couldn't > believe the problems they had. > They found a developer off CL and with his impressive portfolio decided to > work with him. Now my > firm, 8 months later, is fixing all the developers mistakes. They had cookie > based auth, file upload > exploits, xss, sql injection, ... you name it we could do it. Anyways, its > just sad to see these types of > moonlight coders calling themselves developers and doing an awful jobs at > writing software and leaving > their clients exposed. You know what? As long as the market for geeks remains hot like it is now, there will be these parasites making us all look bad. Unfortunate but true, and I distinctly remember observing this last time around in the late 90s. Once the bubble burst and the economy went into the toilet, all these folks went back to whatever it was they were doing before jumping on the web developer bandwagon in disguise. -- Mitch From SHalter at ThorntonTomasetti.com Tue Sep 25 11:43:06 2007 From: SHalter at ThorntonTomasetti.com (Halter, Shari) Date: Tue, 25 Sep 2007 11:43:06 -0400 Subject: [nycphp-talk] Design Firm Recommendations Message-ID: <20070925155326.15615BC8211@gatekeeper.thettgroup.com> This may be slightly off php topic, but am wondering if anyone can provide a recommendation. Has anyone on the list worked for, or with, a design firm they can recommend for overhaul of internal/external web presence for a 500+ person international firm? Intuitive design (for internal) and engaging interface (external) is as important as their experience with IA consulting and shepherding the project through a CMS integration on the backend. Shari L. Halter Web Programmer, Corporate Services Thornton Tomasetti 51 Madison Avenue New York, NY 10010 T 917.661.7800 F 917.661.7801 D 917.661.7970 SHalter at ThorntonTomasetti.com <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> The information in this email and any attachments may contain confidential information that is intended solely for the attention and use of the named addressee(s). This message or any part thereof must not be disclosed, copied, distributed or retained by any person without authorization from the addressee. If you are not the intended addressee, please notify the sender immediately, and delete this message. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> -------------- next part -------------- An HTML attachment was scrubbed... URL: From alexchan.1976 at gmail.com Tue Sep 25 12:33:25 2007 From: alexchan.1976 at gmail.com (Alex C) Date: Tue, 25 Sep 2007 12:33:25 -0400 Subject: [nycphp-talk] Design Firm Recommendations In-Reply-To: <20070925155326.15615BC8211@gatekeeper.thettgroup.com> References: <20070925155326.15615BC8211@gatekeeper.thettgroup.com> Message-ID: <8f494f760709250933y25803544ta2677a1442f6a0a8@mail.gmail.com> where i worked, we used pentagram . www.pentagram.com alex On 9/25/07, Halter, Shari wrote: > > > > This may be slightly off php topic, but am wondering if anyone can provide a > recommendation. > > Has anyone on the list worked for, or with, a design firm they can recommend > for overhaul of internal/external web presence for a 500+ person > international firm? > > Intuitive design (for internal) and engaging interface (external) is as > important as their experience with IA consulting and shepherding the project > through a CMS integration on the backend. > > > > Shari L. Halter > Web Programmer, Corporate Services > Thornton Tomasetti > 51 Madison Avenue > New York, NY 10010 > T 917.661.7800 F 917.661.7801 > D 917.661.7970 > SHalter at ThorntonTomasetti.com > > > > > <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> > > The information in this email and any attachments may contain > > confidential information that is intended solely for the > > attention and use of the named addressee(s). This message or > > any part thereof must not be disclosed, copied, distributed or > > retained by any person without authorization from the addressee. > > If you are not the intended addressee, please notify the sender > > immediately, and delete this message. > > <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > From ken at secdat.com Wed Sep 26 06:54:33 2007 From: ken at secdat.com (Kenneth Downs) Date: Wed, 26 Sep 2007 06:54:33 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP Message-ID: <46FA3A69.6000109@secdat.com> *From: http://www.eweek.com/article2/0,1759,2188714,00.asp Q: How can sites protect themselves against SQL injection? A: *The best defense is to design your database-backed Web site properly to make sure it always separates SQL code and user data. You basically have a choice between programming tools that are specifically designed to prevent you from making this kind of mistake and those that allow you to get into trouble if you're not careful. Roughly speaking, this corresponds to the difference between the newer Microsoft .Net tools and their older tools or open source frameworks like PHP. -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmcgraw1 at gmail.com Wed Sep 26 13:53:02 2007 From: jmcgraw1 at gmail.com (Jake McGraw) Date: Wed, 26 Sep 2007 13:53:02 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <46FA3A69.6000109@secdat.com> References: <46FA3A69.6000109@secdat.com> Message-ID: Oh snap! Personally, I like the flexibility PHP gives you in determining what you can put in your queries and with PHP 5+, using the filter functions and querying a MySQL DB with mysqli is a full proof method of preventing SQL injection. - jake On 9/26/07, Kenneth Downs wrote: > > From: http://www.eweek.com/article2/0,1759,2188714,00.asp > > Q: How can sites protect themselves against SQL injection? > A: The best defense is to design your database-backed Web site properly to > make sure it always separates SQL code and user data. You basically have a > choice between programming tools that are specifically designed to prevent > you from making this kind of mistake and those that allow you to get into > trouble if you're not careful. Roughly speaking, this corresponds to the > difference between the newer Microsoft .Net tools and their older tools or > open source frameworks like PHP. -- > Kenneth Downs > Secure Data Software, Inc. > www.secdat.com www.andromeda-project.org > 631-689-7200 Fax: 631-689-0527 > cell: 631-379-0010 > > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > From SHalter at ThorntonTomasetti.com Wed Sep 26 13:18:08 2007 From: SHalter at ThorntonTomasetti.com (Halter, Shari) Date: Wed, 26 Sep 2007 13:18:08 -0400 Subject: [nycphp-talk] Design Firm Recommendations Message-ID: <20070926172734.A7A1BBC8123@gatekeeper.thettgroup.com> Thank you everyone for the design firm recommendations! Much appreciated, Shari Shari L. Halter Web Programmer, Corporate Services Thornton Tomasetti 51 Madison Avenue New York, NY 10010 T 917.661.7800 F 917.661.7801 D 917.661.7970 SHalter at ThorntonTomasetti.com <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> The information in this email and any attachments may contain confidential information that is intended solely for the attention and use of the named addressee(s). This message or any part thereof must not be disclosed, copied, distributed or retained by any person without authorization from the addressee. If you are not the intended addressee, please notify the sender immediately, and delete this message. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> -------------- next part -------------- An HTML attachment was scrubbed... URL: From chsnyder at gmail.com Wed Sep 26 14:04:04 2007 From: chsnyder at gmail.com (csnyder) Date: Wed, 26 Sep 2007 14:04:04 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <46FA3A69.6000109@secdat.com> References: <46FA3A69.6000109@secdat.com> Message-ID: On 9/26/07, Kenneth Downs wrote: > > From: > http://www.eweek.com/article2/0,1759,2188714,00.asp > > Q: How can sites protect themselves against SQL injection? > A: You basically have a choice between programming tools that lock you > into proprietary architectures and those that allow you to incorporate new > open source libraries and tools as they become available. There, fixed that for them. If your PHP code isn't preventing SQL injection then use one of the many extensions or libraries that prevents it... or write your own. My personal favorite: public function esc( $value ) { return mysql_real_escape_string( $value, $this->db ); } -- Chris Snyder http://chxo.com/ From ken at secdat.com Wed Sep 26 14:10:30 2007 From: ken at secdat.com (Kenneth Downs) Date: Wed, 26 Sep 2007 14:10:30 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: References: <46FA3A69.6000109@secdat.com> Message-ID: <46FAA096.2060106@secdat.com> Jake McGraw wrote: > Oh snap! > > Personally, I like the flexibility PHP gives you in determining what > you can put in your queries and with PHP 5+, using the filter > functions and querying a MySQL DB with mysqli is a full proof method > of preventing SQL injection. > > - jake > > Me too. Nobody ever notices this, but the name ought to give it away, "SQL Injection". Not "PHP Injection". The root cause of the SQL injection vulnerability lies in the use of the database, not the code that accesses it. Applying security in the database renders you structurally immune from SQL injection. -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 From cliff at pinestream.com Wed Sep 26 14:34:06 2007 From: cliff at pinestream.com (Cliff Hirsch) Date: Wed, 26 Sep 2007 14:34:06 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: Message-ID: On 9/26/07 1:53 PM, "Jake McGraw" wrote: > Oh snap! > > Personally, I like the flexibility PHP gives you in determining what > you can put in your queries and with PHP 5+, using the filter > functions and querying a MySQL DB with mysqli is a full proof method > of preventing SQL injection. Filter functions? Not the new input filter functions? To trully prevent SQL injection, you need to use eiher prepared statements or mysqlrealescape function. And don't forget to put ' ' around the result, otherwise, it's useless. From cliff at pinestream.com Wed Sep 26 14:36:25 2007 From: cliff at pinestream.com (Cliff Hirsch) Date: Wed, 26 Sep 2007 14:36:25 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: Message-ID: > My personal favorite: > public function esc( $value ) { > return mysql_real_escape_string( $value, $this->db ); > } I like: return "'".mysql_real_escape_string( $value, $this->db ),"'"; Otherwise, I might forget to quote the result, rendering the function useless. From codebowl at gmail.com Wed Sep 26 07:04:48 2007 From: codebowl at gmail.com (Joseph Crawford) Date: Wed, 26 Sep 2007 07:04:48 -0400 Subject: [nycphp-talk] Design Firm Recommendations In-Reply-To: <8f494f760709250933y25803544ta2677a1442f6a0a8@mail.gmail.com> References: <20070925155326.15615BC8211@gatekeeper.thettgroup.com> <8f494f760709250933y25803544ta2677a1442f6a0a8@mail.gmail.com> Message-ID: <8d9a42800709260404r6f2cfe62g9a3cad6a68988107@mail.gmail.com> www.jvmediadesign.com I've worked with these guys for years now. -- Joseph Crawford Jr. Zend Certified Engineer http://www.josephcrawford.com/ 1-315-820-4244 codebowl at gmail.com From ramons at gmx.net Wed Sep 26 22:25:24 2007 From: ramons at gmx.net (David Krings) Date: Wed, 26 Sep 2007 22:25:24 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <46FA3A69.6000109@secdat.com> References: <46FA3A69.6000109@secdat.com> Message-ID: <46FB1494.6090705@gmx.net> Kenneth Downs wrote: > *From: http://www.eweek.com/article2/0,1759,2188714,00.asp > > Q: How can sites protect themselves against SQL injection? > A: *The best defense is to design your database-backed Web site properly > to make sure it always separates SQL code and user data. You basically > have a choice between programming tools that are specifically designed > to prevent you from making this kind of mistake and those that allow you > to get into trouble if you're not careful. Roughly speaking, this > corresponds to the difference between the newer Microsoft .Net tools and > their older tools or open source frameworks like PHP. > Oh geez, it doesn't matter which prograimming / scripting language is used. You can make .NEt to be subceptible to SQL injections as easy, just don't escape user input. Who writes stuff like that? David From jcampbell1 at gmail.com Wed Sep 26 22:46:43 2007 From: jcampbell1 at gmail.com (John Campbell) Date: Wed, 26 Sep 2007 22:46:43 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: References: <46FA3A69.6000109@secdat.com> Message-ID: <8f0676b40709261946w641cf587u2a67a9dd7434d4d8@mail.gmail.com> > My personal favorite: > public function esc( $value ) { > return mysql_real_escape_string( $value, $this->db ); > } If that is your personal favorite, you are justifying the the article. All you have to do is forget to use single quotes once and your site is vulnerable. Step up and start using prepared queries. On a similar subject: If your solution is to "validate input" or "input filtering", you are going about things all wrong. Validating input is for the birds; prepared sql and output escaping is the way to go. I don't give a shit if my user's use names like "" , just like my web email client doesn't filter it from this post. I default to escaping the html automatically when I send it to the view, and all queries are prepared. It makes coding much easier, and I don't have to worry about forgetting to call esc() once. When coders hear "don't trust user input" it foolishly gets translated to "validate the user's input" and that is one of the primary problems with php coders today. I trust all user input and just escape it for the db and display. I occasionally validate the input, but that is just to make sure the user didn't make a typo. -John Campbell From dcech at phpwerx.net Wed Sep 26 23:12:37 2007 From: dcech at phpwerx.net (Dan Cech) Date: Wed, 26 Sep 2007 23:12:37 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <8f0676b40709261946w641cf587u2a67a9dd7434d4d8@mail.gmail.com> References: <46FA3A69.6000109@secdat.com> <8f0676b40709261946w641cf587u2a67a9dd7434d4d8@mail.gmail.com> Message-ID: <46FB1FA5.7060702@phpwerx.net> John Campbell wrote: > If your solution is to "validate input" or "input filtering", you are > going about things all wrong. Validating input is for the birds; > prepared sql and output escaping is the way to go. I don't give a > shit if my user's use names like "" , > just like my web email client doesn't filter it from this post. I > default to escaping the html automatically when I send it to the view, > and all queries are prepared. It makes coding much easier, and I > don't have to worry about forgetting to call esc() once. > > When coders hear "don't trust user input" it foolishly gets translated > to "validate the user's input" and that is one of the primary problems > with php coders today. I trust all user input and just escape it for > the db and display. I occasionally validate the input, but that is > just to make sure the user didn't make a typo. +1 Input filtering is for enforcing program/business logic, not for 'protecting' against 'bad data'. So long as all the data you use is appropriately escaped/encoded, the content of that data is irrelevant. For the majority of php applications this means using prepared queries (or proper sql escaping), html output escaping, url encoding and proper email encoding (especially headers). All of these are very easy to achieve, and when used in the correct manner yield an application which is invulnerable to the attacks input filtering is supposed to prevent. Dan From dell at sala.ca Thu Sep 27 01:14:15 2007 From: dell at sala.ca (Dell Sala) Date: Thu, 27 Sep 2007 01:14:15 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <46FA3A69.6000109@secdat.com> References: <46FA3A69.6000109@secdat.com> Message-ID: I wouldn't call this an attack on PHP. It is a critique of a philosophy. From the same article: > Q: Are you saying that sites built with open source tools like PHP > are more vulnerable to SQL injection attacks than sites built > with .Net? > > A: It's a question of mentality. Microsoft's mindset is to fix > things in such a way that the user doesn't have so much control and > is therefore less vulnerable. The open source tools like PHP have a > different philosophy. They assume that users know what they are > doing and want to be free of constraints, so these tools let users > do what they want but at their own risk. The open source tools > assume that developers these days are aware of the threat of SQL > injection and will do the right thing. It's about different approaches to the balance between ease-of-use and flexibility. The holy grail is a solution that provides both. Somewhere down the line there has to be code that generates the SQL. The real challenge is where that code goes. Does it happen inside a framework of some kind that takes care of all the escaping in a tested and reliable way, or do you generate the SQL higher up in your scripts adding the flexibility needed for complex joins and query optimization. Ken Wrote: > Applying security in the database renders you structurally immune > from SQL injection. Can you elaborate on this? I'm always intrigued by your DB-centric slant. -- Dell From ramons at gmx.net Thu Sep 27 06:40:26 2007 From: ramons at gmx.net (David Krings) Date: Thu, 27 Sep 2007 06:40:26 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <8f0676b40709261946w641cf587u2a67a9dd7434d4d8@mail.gmail.com> References: <46FA3A69.6000109@secdat.com> <8f0676b40709261946w641cf587u2a67a9dd7434d4d8@mail.gmail.com> Message-ID: <46FB889A.5050300@gmx.net> John Campbell wrote: > On a similar subject: > If your solution is to "validate input" or "input filtering", you are > going about things all wrong. Validating input is for the birds; > prepared sql and output escaping is the way to go. I don't give a > shit if my user's use names like "" , > just like my web email client doesn't filter it from this post. I > default to escaping the html automatically when I send it to the view, > and all queries are prepared. It makes coding much easier, and I > don't have to worry about forgetting to call esc() once. > > When coders hear "don't trust user input" it foolishly gets translated > to "validate the user's input" and that is one of the primary problems > with php coders today. I trust all user input and just escape it for > the db and display. I occasionally validate the input, but that is > just to make sure the user didn't make a typo. That is what I still would call input validation. The validation is not about the sense of the input, but about it being valid for processing by the system. At leat you and I mean the same thing. When I say "all input is evil" then I mean that you need to check it for being fit for queries and display. So yes, if a user wants to be refered to by "" then I'd not stop them from it. David From ken at secdat.com Thu Sep 27 07:21:37 2007 From: ken at secdat.com (Kenneth Downs) Date: Thu, 27 Sep 2007 07:21:37 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: References: <46FA3A69.6000109@secdat.com> Message-ID: <46FB9241.3040404@secdat.com> Dell Sala wrote: > Ken Wrote: > >> Applying security in the database renders you structurally immune >> from SQL injection. > > Can you elaborate on this? I'm always intrigued by your DB-centric slant. > Sure. The typical SQL injection example is where I put some command in on an email form: EMAIL: ken at secdat.com'; create user ken password 'backdoor'; In SQL Injection, the user accesses some table they are not supposed to access. This can only be done if the application connects to the database as some generic user, where that generic user can do anything it wants. To eliminate all possibility of SQL Injection, you must connect to the database with a user whose privileges in the database are limited. The trick then is to work out who the users are and how their privileges are assigned. Database security works basically by denying or granting access to tables. The four fundamental functions of INSERT, UPDATE, DELETE and SELECT can be denied or granted to any user, group, or combination of users and groups. An extremely important point here is that this is the simplest way to do security on a database app, because /every other method must resolve down to this method in the end./ So any method that begins with other ideas has more work to do. So security becomes part of the database design process: 1) In the database, DENY ALL to all tables for all users. 2) Define different security groups, also known these days as *roles*. 3) GRANT select,update,insert,delete privileges to these different groups/roles as needs require. 4) Create actual users and assign them into appropriate groups. If you want to go all the way, you actually create database users for every user of your system (that's what we do), and when they connect to the website we connect them to the database with their own credentials, this gives us a situation where: 1) SQL Injection does not let them do anything they can't do anyway, so at most it is a waste of the hacker's time 2) Our user interface design focuses on the idea that they should see everything they can do, and everything they can see they can do. Again, SQL Injection only gives them a really crude way to do something that's probably on the menu! Hope this helps get you started! > > -- Dell > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 -------------- next part -------------- An HTML attachment was scrubbed... URL: From johnzabroski at yahoo.com Thu Sep 27 07:56:37 2007 From: johnzabroski at yahoo.com (John Zabroski) Date: Thu, 27 Sep 2007 04:56:37 -0700 (PDT) Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <46FB889A.5050300@gmx.net> Message-ID: <343915.12072.qm@web60224.mail.yahoo.com> If that is what you call input validation, then you'd be wrong. SQL Injection is a subset of all attacks based off input vulnerability. As an example, input validation can include calculating and effectively using string length to avoid a buffer overrun or truncation attack. Come to that, the notion of SQL Injection is a subset of all SQL attacks. As a general observation, input vulnerabilities are usually the most heinous when the human mind can't possibly fathom how something could go wrong. Usually, this manifests itself in the form of a limit. Strings have all sorts of limits, most of which are subtle. Strings have beginnings and ends, they may have delimiters, they may have special terminating characters, etc. Limits are where nasty bugs tend to cluster, mostly because the human mind doesn't work in such a way that when we add 1 to +32767 we think "overflow!" Instead, we think 32768. It doesn't matter how good of a programmer you are. You have a Ph.D. from Carnegie Melon and still get tripped up by limits (see: http://googleresearch.blogspot.com/2006/06/extra-extra-read-all-about-it-nearly.html). Also, validation does concern "sense of input" in many cases. Echo the wrong thing back to an unsuspecting user and the consequences could be horrific. Sending an e-mail out to the wrong user because you didn't validate the send-to address could be horrific, etc. We should always say what we mean, and always question what we mean. I can guarantee you I learned this the hard way. David Krings wrote: John Campbell wrote: > On a similar subject: > If your solution is to "validate input" or "input filtering", you are > going about things all wrong. Validating input is for the birds; > prepared sql and output escaping is the way to go. I don't give a > shit if my user's use names like "" , > just like my web email client doesn't filter it from this post. I > default to escaping the html automatically when I send it to the view, > and all queries are prepared. It makes coding much easier, and I > don't have to worry about forgetting to call esc() once. > > When coders hear "don't trust user input" it foolishly gets translated > to "validate the user's input" and that is one of the primary problems > with php coders today. I trust all user input and just escape it for > the db and display. I occasionally validate the input, but that is > just to make sure the user didn't make a typo. That is what I still would call input validation. The validation is not about the sense of the input, but about it being valid for processing by the system. At leat you and I mean the same thing. When I say "all input is evil" then I mean that you need to check it for being fit for queries and display. So yes, if a user wants to be refered to by " href='javascript:blahblah'>" then I'd not stop them from it. David _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php --------------------------------- Check out the hottest 2008 models today at Yahoo! Autos. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jonbaer at jonbaer.com Thu Sep 27 08:14:05 2007 From: jonbaer at jonbaer.com (Jon Baer) Date: Thu, 27 Sep 2007 08:14:05 -0400 Subject: [nycphp-talk] SPL - Do you use? Message-ID: <65430E89-BE46-43C4-818A-7CBB0523C3F1@jonbaer.com> Do many here use the SPL library? I could never really understand this "library", on one side part of the Java programming that I really felt to be a burden of added / bloated code was the idea of the "Iterator" (you always had to grab one) and that is pretty much what the SPL is (for PHP5), and part of the joy to PHP was the ease + use of a foreach loop and then Java took a step back and implemented the same foreach idea in current JVMs but I barely see it used in many projects. I would guess that Java people coming to PHP would understand it's uses / design pattern better but the part of the Zend article I don't understand is ... "This library of interfaces creates a standard API for certain kinds of built-in functionality, allowing your classes to interact with the PHP engine in a much more seamless manner." Im just wondering if this means the use of saying "foreach($objects as $object)" or does refactoring w/ PHP5 Iterators also get you something else as well? - Jon References: http://devzone.zend.com/article/2565-The-Standard-PHP-Library-SPL http://us.php.net/spl http://www.php.net/~helly/php/ext/spl/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From scott at crisscott.com Thu Sep 27 08:58:18 2007 From: scott at crisscott.com (Scott Mattocks) Date: Thu, 27 Sep 2007 08:58:18 -0400 Subject: [nycphp-talk] SPL - Do you use? In-Reply-To: <65430E89-BE46-43C4-818A-7CBB0523C3F1@jonbaer.com> References: <65430E89-BE46-43C4-818A-7CBB0523C3F1@jonbaer.com> Message-ID: <46FBA8EA.4050203@crisscott.com> Jon Baer wrote: > Do many here use the SPL library? > I use the ArrayAccess interface all the time. It allows me to get some OOP benefits for data structures while still having the ease of use of an array. For example, we opened up a SOAP interface for our system. Internally we had things working as arrays but in order to provider more structure for the web service, we needed to have objects. Instead of rewriting the whole code base, I just made a few new classes which implemented ArrayAccess, changed $thing = array(); to $thing = new ArrayLikeObject(); and left the rest of the code alone. The rest of the code still does things like $thing[$key] = $var; but the SOAP interface has the objects it needs. It saved us from a lot of extra work rewriting tons of code. -- Scott Mattocks Author: Pro PHP-GTK http://www.crisscott.com From chsnyder at gmail.com Thu Sep 27 09:11:34 2007 From: chsnyder at gmail.com (csnyder) Date: Thu, 27 Sep 2007 09:11:34 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <8f0676b40709261946w641cf587u2a67a9dd7434d4d8@mail.gmail.com> References: <46FA3A69.6000109@secdat.com> <8f0676b40709261946w641cf587u2a67a9dd7434d4d8@mail.gmail.com> Message-ID: On 9/26/07, John Campbell wrote: > > My personal favorite: > > public function esc( $value ) { > > return mysql_real_escape_string( $value, $this->db ); > > } > > If that is your personal favorite, you are justifying the the article. > All you have to do is forget to use single quotes once and your site > is vulnerable. Step up and start using prepared queries. Hmm, yeah I probably should, now that everything is php5. I need to create SQL snippets that get embedded in multiple and modular queries, like "obj.priority > 99 AND obj.title='Foo' "... is there a way to "pre-prepare" that? Or will I need to pass an object around with the statement "obj.priority > ? AND obj.title=?" and the two values as properties? -- Chris Snyder http://chxo.com/ From dorgan at optonline.net Thu Sep 27 09:44:11 2007 From: dorgan at optonline.net (Donald Organ) Date: Thu, 27 Sep 2007 09:44:11 -0400 Subject: [nycphp-talk] Webservice Issue with .NET Message-ID: <1190900651.6021.6.camel@dorgan-mobile2> I am wondering if anyone else has had this issue before. I have a webservice made using Services_Webservice(PEAR Package). In one method of my service I am returning a complex type, which is able to be read just fine, but I had to add more properties to the object, and now one of the properties is an array of complex types. When invoking the webservice from PHP i am able to see this properties and each object in the array just fine, but when invoking this service from .NET it seems that the property is null. I am just wondering if anyone else has had any issues with this. Thanks From bz-gmort at beezifies.com Thu Sep 27 09:46:21 2007 From: bz-gmort at beezifies.com (bz-gmort at beezifies.com) Date: Thu, 27 Sep 2007 09:46:21 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <343915.12072.qm@web60224.mail.yahoo.com> References: <343915.12072.qm@web60224.mail.yahoo.com> Message-ID: <46FBB42D.4080608@beezifies.com> John Zabroski wrote: > We should always say what we mean, and always question what we mean. I > can guarantee you I learned this the hard way. You got conned into sitting on a stupid egg too? From tedd at sperling.com Thu Sep 27 11:05:28 2007 From: tedd at sperling.com (tedd) Date: Thu, 27 Sep 2007 11:05:28 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <46FA3A69.6000109@secdat.com> References: <46FA3A69.6000109@secdat.com> Message-ID: At 6:54 AM -0400 9/26/07, Kenneth Downs wrote: >From: >http://www.eweek.com/article2/0,1759,2188714,00.asp > >Q: How can sites protect themselves against SQL injection? >A: The best defense is to design your database-backed Web site >properly to make sure it always separates SQL code and user data. >You basically have a choice between programming tools that are >specifically designed to prevent you from making this kind of >mistake and those that allow you to get into trouble if you're not >careful. Roughly speaking, this corresponds to the difference >between the newer Microsoft .Net tools and their older tools or open >source frameworks like PHP. But of course -- Microsoft has always been leading the pack in everything is does. The net is no exception, take a look at its IE browsers with respect to web standards and compliance issues -- they certainly define what's best for the rest of us, right? Wrong! Seriously, M$ has one thing on it's mind and that is to control as much as possible -- and that control is solely for profit and not for the better good. If they can sell .Net tools as the "best" way to go, and you buy into it, then I have some swamp land for you to consider because in either case, you're wading into a quagmire. Answers like that above, are just more M$ noise for profit. Cheers, tedd -- ------- http://sperling.com http://ancientstones.com http://earthstones.com From mitch.pirtle at gmail.com Thu Sep 27 11:32:32 2007 From: mitch.pirtle at gmail.com (Mitch Pirtle) Date: Thu, 27 Sep 2007 11:32:32 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <46FBB42D.4080608@beezifies.com> References: <343915.12072.qm@web60224.mail.yahoo.com> <46FBB42D.4080608@beezifies.com> Message-ID: <330532b60709270832q5bfbe5c1l82686a9cba61b6d5@mail.gmail.com> On 9/27/07, bz-gmort at beezifies.com wrote: > John Zabroski wrote: > > We should always say what we mean, and always question what we mean. I > > can guarantee you I learned this the hard way. > > You got conned into sitting on a stupid egg too? I squished mine. -- Mitch, sobbing uncontrollably in the corner From dorgan at optonline.net Thu Sep 27 14:30:32 2007 From: dorgan at optonline.net (Donald Organ) Date: Thu, 27 Sep 2007 14:30:32 -0400 Subject: [nycphp-talk] Webservice Issue with .NET In-Reply-To: <1190900651.6021.6.camel@dorgan-mobile2> References: <1190900651.6021.6.camel@dorgan-mobile2> Message-ID: <1190917832.16612.5.camel@dorgan-mobile2> Wow no one has had any problems like this?? On Thu, 2007-09-27 at 09:44 -0400, Donald Organ wrote: > I am wondering if anyone else has had this issue before. > > I have a webservice made using Services_Webservice(PEAR Package). In > one method of my service I am returning a complex type, which is able to > be read just fine, but I had to add more properties to the object, and > now one of the properties is an array of complex types. When invoking > the webservice from PHP i am able to see this properties and each object > in the array just fine, but when invoking this service from .NET it > seems that the property is null. > > I am just wondering if anyone else has had any issues with this. > > Thanks > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php From ramons at gmx.net Thu Sep 27 16:11:50 2007 From: ramons at gmx.net (David Krings) Date: Thu, 27 Sep 2007 16:11:50 -0400 Subject: [nycphp-talk] Webservice Issue with .NET In-Reply-To: <1190917832.16612.5.camel@dorgan-mobile2> References: <1190900651.6021.6.camel@dorgan-mobile2> <1190917832.16612.5.camel@dorgan-mobile2> Message-ID: <46FC0E86.7070302@gmx.net> Donald Organ wrote: > Wow no one has had any problems like this?? > Maybe no one else uses .NET? From dorgan at optonline.net Thu Sep 27 16:14:17 2007 From: dorgan at optonline.net (Donald Organ) Date: Thu, 27 Sep 2007 16:14:17 -0400 Subject: [nycphp-talk] Webservice Issue (was Webserivce Issue with .NET ) no longer just .NET In-Reply-To: <46FC0E86.7070302@gmx.net> References: <1190900651.6021.6.camel@dorgan-mobile2> <1190917832.16612.5.camel@dorgan-mobile2> <46FC0E86.7070302@gmx.net> Message-ID: <1190924057.16612.10.camel@dorgan-mobile2> Ok well i belive its not longer just a .NET issue it seems the service it self isnt returning a value for that property at all and i know its being set because if i dump the object to the screen via php it appears fine. On Thu, 2007-09-27 at 16:11 -0400, David Krings wrote: > Donald Organ wrote: > > Wow no one has had any problems like this?? > > > Maybe no one else uses .NET? > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php From cliff at pinestream.com Thu Sep 27 16:25:24 2007 From: cliff at pinestream.com (Cliff Hirsch) Date: Thu, 27 Sep 2007 16:25:24 -0400 Subject: [nycphp-talk] Apache document root location question Message-ID: I am bringing up a production server where the Apache document root is currently: /srv/www/htdocs Yet my application is in another directory and has its own public htdocs directory. The php files in the public htdocs dir know that they are in a subdir one level below the application directory, so I?d rather not move those files to /srv/www/htdocs. This helps with includes, requires, etc when it comes to finding files in the correct filepath. Should I just make my application htdocs dir the new document root? Or should I make a symbolic link, alias, redirect or virtual host (always get confused about which to use since they seem to achieve the same thing)? Or I guess I could move my entire application to /srv/www, which would keep the hierarchy intact. Thoughts? Want to get this right for production.... Cliff From mitch.pirtle at gmail.com Thu Sep 27 16:42:04 2007 From: mitch.pirtle at gmail.com (Mitch Pirtle) Date: Thu, 27 Sep 2007 16:42:04 -0400 Subject: [nycphp-talk] Apache document root location question In-Reply-To: References: Message-ID: <330532b60709271342i1b09a917r1e2b06e43319deba@mail.gmail.com> On 9/27/07, Cliff Hirsch wrote: > > Should I just make my application htdocs dir the new document root? Or > should I make a symbolic link, alias, redirect or virtual host (always get > confused about which to use since they seem to achieve the same thing)? Or I > guess I could move my entire application to /srv/www, which would keep the > hierarchy intact. > > Thoughts? Want to get this right for production.... I'd just make that the docroot for that virtualhost. Symlinks always seems to get phaclemped one way or another. -- Mitch From cliff at pinestream.com Thu Sep 27 16:51:58 2007 From: cliff at pinestream.com (Cliff Hirsch) Date: Thu, 27 Sep 2007 16:51:58 -0400 Subject: [nycphp-talk] Apache document root location question In-Reply-To: <330532b60709271342i1b09a917r1e2b06e43319deba@mail.gmail.com> Message-ID: On 9/27/07 4:42 PM, "Mitch Pirtle" wrote: > On 9/27/07, Cliff Hirsch wrote: >> >> Should I just make my application htdocs dir the new document root? Or >> should I make a symbolic link, alias, redirect or virtual host (always get >> confused about which to use since they seem to achieve the same thing)? Or I >> guess I could move my entire application to /srv/www, which would keep the >> hierarchy intact. >> >> Thoughts? Want to get this right for production.... > > I'd just make that the docroot for that virtualhost. Symlinks always > seems to get phaclemped one way or another. > > -- Mitch I guess that would be the way to go, using IP-based virtual hosts so I can use SSL. Virtualhosts would give me flexibility in the future to have subdomains, etc. One though I had was to do this: Alias / /newfilepath But that effectively kills the main document root. From ioplex at gmail.com Thu Sep 27 20:52:28 2007 From: ioplex at gmail.com (Michael B Allen) Date: Thu, 27 Sep 2007 20:52:28 -0400 Subject: [nycphp-talk] Digest Authentication w/ Login Form Message-ID: <78c6bd860709271752l68ffc03bjd0e696116a97046e@mail.gmail.com> Hi, I think I already know the answer to this is a simple "no" but I suppose it can't hurt to ask. Is it possible to do digest authentication from a login form? I'm curious as to why there isn't a special form element type like "password" that doesn't compute a digest. Otherwise, is there a reasonable Free / free JavaScript implementation of MD5 and Base64? Mike From ioplex at gmail.com Thu Sep 27 21:22:05 2007 From: ioplex at gmail.com (Michael B Allen) Date: Thu, 27 Sep 2007 21:22:05 -0400 Subject: [nycphp-talk] Re: Digest Authentication w/ Login Form In-Reply-To: <78c6bd860709271752l68ffc03bjd0e696116a97046e@mail.gmail.com> References: <78c6bd860709271752l68ffc03bjd0e696116a97046e@mail.gmail.com> Message-ID: <78c6bd860709271822k63d064b3m89d17078a02f7b21@mail.gmail.com> On 9/27/07, Michael B Allen wrote: > Is it possible to do digest authentication from a login form? Of course I just figured out how to do this in record time. I also just realized that, for reasons not worth going into I can't use this. But for posterity here's the solution: A BSD implementation of both MD5 and Bas64 is here: http://ecmanaut.googlecode.com/svn/trunk/lib/md5.js Here's the client side: Login

Login

Username:
Password:
I haven't actually tried to validate the resulting hash but I'm pretty confident it will work. Mike From 1j0lkq002 at sneakemail.com Fri Sep 28 01:54:46 2007 From: 1j0lkq002 at sneakemail.com (inforequest) Date: Thu, 27 Sep 2007 22:54:46 -0700 Subject: [nycphp-talk] [OT] PHP IDS & Web Application Security In-Reply-To: <330532b60709250851n39fb7ea1nef55c0c750de19bf@mail.gmail.com> References: <4aba01c7fefb$74b8e830$6401a8c0@gamebox> <330532b60709250851n39fb7ea1nef55c0c750de19bf@mail.gmail.com> Message-ID: <22858-45554@sneakemail.com> Mitch Pirtle mitch.pirtle-at-gmail.com |nyphp dev/internal group use| wrote: >On 9/24/07, Ben Sgro (ProjectSkyLine) wrote: > > >>I recently finished a security audit and pen test for a client. I couldn't >>believe the problems they had. >>They found a developer off CL and with his impressive portfolio decided to >>work with him. Now my >>firm, 8 months later, is fixing all the developers mistakes. They had cookie >>based auth, file upload >>exploits, xss, sql injection, ... you name it we could do it. Anyways, its >>just sad to see these types of >>moonlight coders calling themselves developers and doing an awful jobs at >>writing software and leaving >>their clients exposed. >> >> > >You know what? As long as the market for geeks remains hot like it is >now, there will be these parasites making us all look bad. Unfortunate >but true, and I distinctly remember observing this last time around in >the late 90s. Once the bubble burst and the economy went into the >toilet, all these folks went back to whatever it was they were doing >before jumping on the web developer bandwagon in disguise. > >-- Mitch > > Wow Mitch, you just described the SEO field to a T. -=john -- ------------------------------------------------------------- Your web server traffic log file is the most important source of web business information available. Do you know where your logs are right now? Do you know who else has access to your log files? When they were last archived? Where those archives are? --John Andrews Competitive Webmaster and SEO Blogging at http://www.johnon.com From elharo at metalab.unc.edu Fri Sep 28 04:13:53 2007 From: elharo at metalab.unc.edu (Elliotte Harold) Date: Fri, 28 Sep 2007 04:13:53 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <46FB9241.3040404@secdat.com> References: <46FA3A69.6000109@secdat.com> <46FB9241.3040404@secdat.com> Message-ID: <46FCB7C1.8010205@metalab.unc.edu> Kenneth Downs wrote: > In SQL Injection, the user accesses some table they are not supposed to > access. This can only be done if the application connects to the > database as some generic user, where that generic user can do anything > it wants. Not always. Sometimes it's about accessing a row they're not supposed to access, or adding a WHERE clause they're not supposed to run, or a fucntion they're not supposed to be able to call. Table level security is not enough. For example, you may well have data from multiple users ion one table (you usually will in fact) but don't want Bob to be able to see Alice's data. If Bob can change "WHERE user = 'Bob'" to "WHERE user = 'Bob' or user = 'Alice'" your table level security has just been broken. :-( There are also attacks that access columns the user isn't supposed to see. A credit card company may allow users to see their purchase history, for example, but not see the mercant ID numbers associated with each purchase. Your scenario assumes users can see entire tables, and more often than not for random web surfers, that is not the security model we want. -- Elliotte Rusty Harold elharo at metalab.unc.edu Java I/O 2nd Edition Just Published! http://www.cafeaulait.org/books/javaio2/ http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/ From ken at secdat.com Fri Sep 28 07:05:53 2007 From: ken at secdat.com (Kenneth Downs) Date: Fri, 28 Sep 2007 07:05:53 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <46FCB7C1.8010205@metalab.unc.edu> References: <46FA3A69.6000109@secdat.com> <46FB9241.3040404@secdat.com> <46FCB7C1.8010205@metalab.unc.edu> Message-ID: <46FCE011.9040405@secdat.com> Elliotte Harold wrote: > Kenneth Downs wrote: > >> In SQL Injection, the user accesses some table they are not supposed >> to access. This can only be done if the application connects to the >> database as some generic user, where that generic user can do >> anything it wants. > > Not always. Sometimes it's about accessing a row they're not supposed > to access, You are correct that row level and column level security are required to completely finish the picture (not something I was going to bring up in a first post). I wasn't going to go that deep in a first exposition. In fact, the complete resolution down to cell-level security is in theory the final story. Andromeda supports row-level and column-level security precisely for this reason. I have one customer in particular for whom that is the most used feature. But it remains true that the entire security model of a table-based system is security privileges on the tables (including rows and columns). Everything else /resolves to this in the end/. For this reason we also don't use or need any stored procedures, as they complicate the security picture without adding benefit. By implementing security directly on tables and making use of triggers we have the tightest possible encapsulation of data and code. Finally, you ain't never going to do better in code, because the possibilities for latent errors are too high. By contrast, direct assignments to tables, being the /final action required anyway/, are the easiest to work out and assign, and the easiest to document and verify. Code-based solutions don't come close to providing the security you need. -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 -------------- next part -------------- An HTML attachment was scrubbed... URL: From bz-gmort at beezifies.com Fri Sep 28 07:14:36 2007 From: bz-gmort at beezifies.com (bz-gmort at beezifies.com) Date: Fri, 28 Sep 2007 07:14:36 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <46FB9241.3040404@secdat.com> References: <46FA3A69.6000109@secdat.com> <46FB9241.3040404@secdat.com> Message-ID: <46FCE21C.9040901@beezifies.com> Kenneth Downs wrote: > 1) SQL Injection does not let them do anything they can't do anyway, so > at most it is a waste of the hacker's time Many things are a waste of the cracker's time, but they do them anyway. So counting on the result not being worth the time of cracker is wishful thinking. :-) > 2) Our user interface design focuses on the idea that they should see > everything they can do, and everything they can see they can do. Again, > SQL Injection only gives them a really crude way to do something that's > probably on the menu! Hmm, I think in terms of online stores and credits. Sure, the person can purchase a credit and have the data in their user record updated, but it is so much cheaper to do an "update usertable set credits=10000 where uid = 'me') Or someone who doesn't like the clunky deletion interface for the rows of a table, and instead wants to do a "delete * from customer_Table" I suppose one way to work around this is to only give a user access to tables they are allowed to have complete control over. But then creating thousands of user tables and then joining them together for reporting would be tedious(though you could do the reverse, have 1 user table and create an individualized view for each user so the user only accesses their data through the view. Does MySQL 5 allow you to perform updates through views?) From ken at secdat.com Fri Sep 28 08:03:21 2007 From: ken at secdat.com (Kenneth Downs) Date: Fri, 28 Sep 2007 08:03:21 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <46FCE21C.9040901@beezifies.com> References: <46FA3A69.6000109@secdat.com> <46FB9241.3040404@secdat.com> <46FCE21C.9040901@beezifies.com> Message-ID: <46FCED89.9020001@secdat.com> bz-gmort at beezifies.com wrote: > Kenneth Downs wrote: >> 1) SQL Injection does not let them do anything they can't do anyway, >> so at most it is a waste of the hacker's time > > Many things are a waste of the cracker's time, but they do them > anyway. So counting on the result not being worth the time of cracker > is wishful thinking. :-) The focus is on "...does not let them do anything they can't do anyway...." If the hacker wants to test the SQL injection abilities, let them. Let them have fun. Let them learn. The real question is, can they do harm? And the answer is NO, not if they are connected to the database with an account that has limited security abilities. > >> 2) Our user interface design focuses on the idea that they should see >> everything they can do, and everything they can see they can do. >> Again, SQL Injection only gives them a really crude way to do >> something that's probably on the menu! > > Hmm, I think in terms of online stores and credits. Sure, the person > can purchase a credit and have the data in their user record updated, > but it is so much cheaper to do an "update usertable set credits=10000 > where uid = 'me') See Rusty's comment and my reply on row-level and column-level security. -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 From bz-gmort at beezifies.com Fri Sep 28 08:58:07 2007 From: bz-gmort at beezifies.com (bz-gmort at beezifies.com) Date: Fri, 28 Sep 2007 08:58:07 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <46FCED89.9020001@secdat.com> References: <46FA3A69.6000109@secdat.com> <46FB9241.3040404@secdat.com> <46FCE21C.9040901@beezifies.com> <46FCED89.9020001@secdat.com> Message-ID: <46FCFA5F.9010701@beezifies.com> Kenneth Downs wrote: > The focus is on "...does not let them do anything they can't do anyway...." >If the hacker wants to test the SQL injection abilities, let them. >Let them have fun. Let them learn. The real question is, can they >do harm? And the answer is NO, not if they are connected to the >database with an account that has limited security abilities. Hmm, I would say tricking someone into wiping out all patient records by having them click a custom crafted link which uses their authority to wipe every record in the database(since they have delete authority) would be harm. >> Hmm, I think in terms of online stores and credits. Sure, the person >> can purchase a credit and have the data in their user record updated, >> but it is so much cheaper to do an "update usertable set credits=10000 >> where uid = 'me') > > See Rusty's comment and my reply on row-level and column-level security. > > Looking over your project website, it seems your doing this with views, correct? I also note your using Postgress as your DB Engine. Is it possible to provide the same type of security through views in MySQL(to be honest, due to the large number of v4 servers out there, I haven't kept up with V5 in regards to views) Row and column level security wouldn't help from an online store perspective. You could establish a level of this security through triggers, for example in a credit based system, instead of updating credits directly, you could do inserts into a purchase table and that table has a trigger to update the credits based on the package purchased. I'm not disputing that your model is a good model to follow where feasible(a database server where you can create user accounts for every user), and given unlimited funds of course it should always be implemented. But even this method doesn't eliminate problems with SQL injection, it minimizes them(depending on the application design, this may or may not result in fairly comprehensive protection.) I wonder how difficult it would be to design a functional application that would work both in the shared hosting/single db user model AND a dedicated server/multi user model, and would there even be a market for such an app(market defined as people who would use it in both modes) From rmarscher at beaffinitive.com Fri Sep 28 11:17:41 2007 From: rmarscher at beaffinitive.com (Rob Marscher) Date: Fri, 28 Sep 2007 11:17:41 -0400 Subject: [nycphp-talk] SPL - Do you use? In-Reply-To: <65430E89-BE46-43C4-818A-7CBB0523C3F1@jonbaer.com> References: <65430E89-BE46-43C4-818A-7CBB0523C3F1@jonbaer.com> Message-ID: On Sep 27, 2007, at 8:14 AM, Jon Baer wrote: > Do many here use the SPL library? I know zend framework uses a bunch of it. Zend_Registry, for example, extends from ArrayObject. The DirectoryIterator seems kinda convenient. I haven't gotten that into it yet though. > I could never really understand this "library", on one side part of > the Java programming that I really felt to be a burden of added / > bloated code was the idea of the "Iterator" (you always had to grab > one) and that is pretty much what the SPL is (for PHP5), and part > of the joy to PHP was the ease + use of a foreach loop and then > Java took a step back and implemented the same foreach idea in > current JVMs but I barely see it used in many projects. I would > guess that Java people coming to PHP would understand it's uses / > design pattern better but the part of the Zend article I don't > understand is ... > "This library of interfaces creates a standard API for certain > kinds of built-in functionality, allowing your classes to interact > with the PHP engine in a much more seamless manner." > Im just wondering if this means the use of saying "foreach($objects > as $object)" or does refactoring w/ PHP5 Iterators also get you > something else as well? I think there are more built-in php functions that your objects can take advantage of... found this in the unit test code, for example: 0, 1=>1); $ar = new ArrayObject($ar); var_dump($ar); $ar[2] = 2; var_dump($ar[2]); var_dump($ar["3"] = 3); var_dump(array_merge((array)$ar, array(4=>4, 5=>5))); ?> On a side note, the initial reaction of a of mine friend to the zend framework was that it felt too much like java. He's a former java developer, who switched to php, and now works in ruby as well). -------------- next part -------------- An HTML attachment was scrubbed... URL: From ken at secdat.com Fri Sep 28 12:42:11 2007 From: ken at secdat.com (Kenneth Downs) Date: Fri, 28 Sep 2007 12:42:11 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <46FCFA5F.9010701@beezifies.com> References: <46FA3A69.6000109@secdat.com> <46FB9241.3040404@secdat.com> <46FCE21C.9040901@beezifies.com> <46FCED89.9020001@secdat.com> <46FCFA5F.9010701@beezifies.com> Message-ID: <46FD2EE3.3000802@secdat.com> bz-gmort at beezifies.com wrote: > Kenneth Downs wrote: > >> The focus is on "...does not let them do anything they can't do >> anyway...." > >> If the hacker wants to test the SQL injection abilities, let them. > >Let them have fun. Let them learn. The real question is, can they > >do harm? And the answer is NO, not if they are connected to the > >database with an account that has limited security abilities. > > Hmm, I would say tricking someone into wiping out all patient records > by having them click a custom crafted link which uses their authority > to wipe every record in the database(since they have delete authority) > would be harm. ....but of course we want to prevent session hijacking and forged urls no matter what the security mechanism, right? ...and I assume your database has foreign keys and delete constraints that would prevent orphaning all of those customers' orders, right? ...and finally, who is it that is connecting with the ability to wipe every record in the database? > > >>> Hmm, I think in terms of online stores and credits. The nature of the application does not determine the security model, anymore than it determines the language. We don't use PHP for retail and Java for wholesale. The nature of the app simply determines the security assignments made, just as it determines what actual PHP or Java we write. >> > > Looking over your project website, it seems your doing this with > views, correct? Column and row-level security, yes. > > I also note your using Postgress as your DB Engine. Is it possible to > provide the same type of security through views in MySQL(to be honest, > due to the large number of v4 servers out there, I haven't kept up > with V5 in regards to views) Prior to version 5, mySQL lacked so many basic database features that it was just not in the running. That is why Andromeda uses Postgres (I certainly did not pick Postgres so I could enjoy opting out of what 99.9% of the community is using, but it lets me deliver work to my customers). With version 5 the non-MySQL world is looking at it and saying, "Hmmm, they're getting there, i'll be interested in looking at version 6 or 7." > > Row and column level security wouldn't help from an online store > perspective. See comment above. It's not about the kind of application. To give an analogy, lots of people don't think Javascript handles inheritance because there is no class. Then they find out about prototypes and they say, "Oh, ok, there is a way to do everything, it's just different." Now, whether or not its *better*, well I won't comment on that. Same goes for database security. There is a way to do everything you can possibly want to do. The stunning and obvious fact that I will keep repeating is, /it all comes down to table permission in the end anyway!/ Most people just don't think that way, so they can't see how to design in. They think in terms of, "Who should be allowed to run this program that does these powerful and dangerous actions?" I will claim that putting security directly into the database is better than any other way because it /does what is needed in the end with the least possible work./ > You could establish a level of this security through triggers, for > example in a credit based system, instead of updating credits > directly, you could do inserts into a purchase table and that table > has a trigger to update the credits based on the package purchased. More or less, yes. A public user is not allowed to write to the items availability table. But he can insert a line into the orders table (which is always stamped with his user_id), and a trigger fires that decrements the availability. > > I'm not disputing that your model is a good model to follow where > feasible(a database server where you can create user accounts for > every user), and given unlimited funds of course it should always be > implemented. But even this method doesn't eliminate problems with SQL > injection, it minimizes them(depending on the application design, this > may or may not result in fairly comprehensive protection.) You are making the classic "Javascript can't do OO because it doesn't have classes" mistake. Andromeda systems costs less to develop, are more secure, and easier to document than any code-centric alternative, precisely because of the radical DRY (don't repeat yourself) element of our database design. A single spec details table structure, calculations, and security, and the builder builds the database for me. On a completely off-topic segue, the new UI that I showed off at LIPHP is really cool, I'll be making that public today or tomorrow, it really shows off the approach. > > I wonder how difficult it would be to design a functional application > that would work both in the shared hosting/single db user model AND a > dedicated server/multi user model, and would there even be a market > for such an app(market defined as people who would use it in both modes) Actually an Andromeda node can host any number of applications, private business apps and public sites both (as SDS servers in fact do), with multiple instances of the same apps and multiple versions of the same apps all running simultaneously. All database users are fully isolated into their individual apps. -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 -------------- next part -------------- An HTML attachment was scrubbed... URL: From bz-gmort at beezifies.com Fri Sep 28 13:02:27 2007 From: bz-gmort at beezifies.com (bz-gmort at beezifies.com) Date: Fri, 28 Sep 2007 13:02:27 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <46FD2EE3.3000802@secdat.com> References: <46FA3A69.6000109@secdat.com> <46FB9241.3040404@secdat.com> <46FCE21C.9040901@beezifies.com> <46FCED89.9020001@secdat.com> <46FCFA5F.9010701@beezifies.com> <46FD2EE3.3000802@secdat.com> Message-ID: <46FD33A3.1020803@beezifies.com> Kenneth Downs wrote: > ....but of course we want to prevent session hijacking and forged urls no matter what the security mechanism, right? I'd also like to prevent users entering something in an input field because their "friend" tells them it's a good idea. But since I can't control users..... > bz-gmort at beezifies.com wrote: >> >> I wonder how difficult it would be to design a functional application >> that would work both in the shared hosting/single db user model AND a >> dedicated server/multi user model, and would there even be a market >> for such an app(market defined as people who would use it in both modes) > > Actually an Andromeda node can host any number of applications, private > business apps and public sites both (as SDS servers in fact do), with > multiple instances of the same apps and multiple versions of the same > apps all running simultaneously. All database users are fully isolated > into their individual apps. I'm thinking more from the perspective that the Application would run on a GoDaddy host, it will run on a Dreamhost account, and it will run on a dedicated server. Designed in such a way to devolve down to the single db user access rights when that is all that is available, but will scale up to the multi user access level when it's available. It would mean a lot of redundant code at the application level to manage security when the user access is lacking. It seems to me it's better to start with an app dedicated for the shared hosting environment and then upgrade to something like Andromeda when it is economically justified. But it would be cool to be able to use the same app under different security models. From jcampbell1 at gmail.com Fri Sep 28 13:35:44 2007 From: jcampbell1 at gmail.com (John Campbell) Date: Fri, 28 Sep 2007 13:35:44 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <46FD2EE3.3000802@secdat.com> References: <46FA3A69.6000109@secdat.com> <46FB9241.3040404@secdat.com> <46FCE21C.9040901@beezifies.com> <46FCED89.9020001@secdat.com> <46FCFA5F.9010701@beezifies.com> <46FD2EE3.3000802@secdat.com> Message-ID: <8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com> On 9/28/07, Kenneth Downs wrote: > I will claim that putting security > directly into the database is better than any other way because it does what > is needed in the end with the least possible work. I must be missing something. Take a simple social networking scenario: A user can only see another user's complete profile if and only if they are mutual friends. Implementing that in the tables would be a huge pain in the ass and incur a big performance penalty. Is there some super easy way to implement this that I am missing? My problem with implementing security in the database, is that it forces a relationship between data elements and users, where as if you implement the security layer between the application and the data then you can write policies that are a function of the data itself. -Cheers John Campbell From bz-gmort at beezifies.com Fri Sep 28 13:57:11 2007 From: bz-gmort at beezifies.com (bz-gmort at beezifies.com) Date: Fri, 28 Sep 2007 13:57:11 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com> References: <46FA3A69.6000109@secdat.com> <46FB9241.3040404@secdat.com> <46FCE21C.9040901@beezifies.com> <46FCED89.9020001@secdat.com> <46FCFA5F.9010701@beezifies.com> <46FD2EE3.3000802@secdat.com> <8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com> Message-ID: <46FD4077.7040603@beezifies.com> John Campbell wrote: > On 9/28/07, Kenneth Downs wrote: > >> I will claim that putting security >> directly into the database is better than any other way because it does what >> is needed in the end with the least possible work. > > I must be missing something. Take a simple social networking > scenario: A user can only see another user's complete profile if and > only if they are mutual friends. Implementing that in the tables > would be a huge pain in the ass and incur a big performance penalty. > Is there some super easy way to implement this that I am missing? It would? Think of the profile information as follows: ProfileTable Username, userid, fullname, address, emailaddress, bio, Recordid FriendTable: Recordid, friendid So, in the classic sense, if someone loads a profile, you might do a join between friendtable and profiletable and add a where clause where the friendid equals your userid- if you get data from it you display it. Otherwise, you would pull just the public information. In a DB driven sense, you would have: ProfileTable Username, fullname, address, emailaddress, bio, Recordid FriendTable: Recordid, friendusername PublicProfiles: A select only view of ProfileTable having only: username, fullname, bio And then for each and every userid, you have created automatically a set of views: Myusername.friendprofiles select Username, fullname, address, emailaddress, bio from profiletable where recordid in (select recordid from friendtable where friendusername = 'myusername') (and to extend it a bit, you would also have a view for update: Myusername.myprofile select Username, fullname, address, emailaddress, bio from profiletable where username = 'myusername') Now from the application perspective, you have 2 queries: First you do a select to the myusername.firendprofiles table and if you locate the user your looking for, display the full data. Second, if no record is found, than check the publicprofiles table for data The important point here is that the only view you have UPDATE authority to is myusername.myprofile, wheras you have select authority on myusername.friendprofiles and publicprofiles. You have no direct access to the profiletable. Now, assume for a moment that the user get's some SQL injected past the program. In the first case, since all the queries are run against the profiletable, the user can then view the private informaiton of other users(and worse, can change it since they have edit authority to edit their own record!) With the view level security, the only view they can update is myusername.myprofile - so they can only change their personal record. As for selecting data, they can only select from the myusername.friendsprofile and myusername.publicprofiles. Since the only data in those views is the data they are allowed to see anyway, even if they manage an SQL injection they still can't view data they were not authorized to access. From jcampbell1 at gmail.com Fri Sep 28 14:49:56 2007 From: jcampbell1 at gmail.com (John Campbell) Date: Fri, 28 Sep 2007 14:49:56 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <46FD4077.7040603@beezifies.com> References: <46FA3A69.6000109@secdat.com> <46FB9241.3040404@secdat.com> <46FCE21C.9040901@beezifies.com> <46FCED89.9020001@secdat.com> <46FCFA5F.9010701@beezifies.com> <46FD2EE3.3000802@secdat.com> <8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com> <46FD4077.7040603@beezifies.com> Message-ID: <8f0676b40709281149q7bd50053ued2825fb976c2b7f@mail.gmail.com> That makes sense to me, I have never considered using eleventy thousand views. Is managing all of those views a problem? Do you create the views on the fly, or are they "fixed" when you create the new user account? How do you alter the views? From mitch.pirtle at gmail.com Fri Sep 28 15:04:12 2007 From: mitch.pirtle at gmail.com (Mitch Pirtle) Date: Fri, 28 Sep 2007 15:04:12 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <8f0676b40709281149q7bd50053ued2825fb976c2b7f@mail.gmail.com> References: <46FA3A69.6000109@secdat.com> <46FB9241.3040404@secdat.com> <46FCE21C.9040901@beezifies.com> <46FCED89.9020001@secdat.com> <46FCFA5F.9010701@beezifies.com> <46FD2EE3.3000802@secdat.com> <8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com> <46FD4077.7040603@beezifies.com> <8f0676b40709281149q7bd50053ued2825fb976c2b7f@mail.gmail.com> Message-ID: <330532b60709281204m1b92afd8y6128a3fe39e06fc5@mail.gmail.com> On 9/28/07, John Campbell wrote: > That makes sense to me, I have never considered using eleventy > thousand views. Is managing all of those views a problem? Do you > create the views on the fly, or are they "fixed" when you create the > new user account? How do you alter the views? If you're using MySQL, then you bypass views and give as much RAM as you can to the query cache ;-) Alternately, you could use something like memcache and store the fetched values as arrays (based on userid) and then set your application to update the key in the cache whenever that userid is updated (from the relationship perspective). With that approach, you offload the work to memcache which is purely memory resident, meaning very very low load on the server to provide that information. Also, you can set the value of the userid's for one userid as an array, making it even easier to answer the question: So who am I friends with, and can see their personal profiles? -- Mitch From bz-gmort at beezifies.com Fri Sep 28 15:12:44 2007 From: bz-gmort at beezifies.com (bz-gmort at beezifies.com) Date: Fri, 28 Sep 2007 15:12:44 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <8f0676b40709281149q7bd50053ued2825fb976c2b7f@mail.gmail.com> References: <46FA3A69.6000109@secdat.com> <46FB9241.3040404@secdat.com> <46FCE21C.9040901@beezifies.com> <46FCED89.9020001@secdat.com> <46FCFA5F.9010701@beezifies.com> <46FD2EE3.3000802@secdat.com> <8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com> <46FD4077.7040603@beezifies.com> <8f0676b40709281149q7bd50053ued2825fb976c2b7f@mail.gmail.com> Message-ID: <46FD522C.2030506@beezifies.com> John Campbell wrote: > That makes sense to me, I have never considered using eleventy > thousand views. Is managing all of those views a problem? Do you > create the views on the fly, or are they "fixed" when you create the > new user account? How do you alter the views? Dunno, I would assume it depends on the system. I would imagine maintenance isn't that big of a deal, just like you can alter a table, you can alter a view and since you can list out all the views, it would be simple to script all that sort of thing. The last time I used views was over 10 years ago on DB2. Then I moved to using light weight relational DB's like MySQL - which lacked the features of an enterprise database, but also lacked the high hardware requirements of one. Now MySQL is slowly approaching the features of enterprise databases, but it's a different time. Memory and CPU are a lot cheaper now than 10 years ago. DB2 was interesting, as every table had an "owner" which defaulted to the user who created it, but did not have to be. If you ran a query and just specified a table name, it assumed the userid running the query to be the owner. So we could create a view for every user with just the table/view name(for example: friendsprofile) and it would automatically be treated as username.friendsprofile. Whereas for the general tables we would assign a generic "owner"(you could also use different generic owners the way MySQL uses a prefix, so instead of having prefix1_table, prefix2_table, prefix3_table we would have prod.table, dev.table, test.table) From danielc at analysisandsolutions.com Fri Sep 28 15:59:40 2007 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Fri, 28 Sep 2007 15:59:40 -0400 Subject: [nycphp-talk] Webservice Issue with .NET In-Reply-To: <1190900651.6021.6.camel@dorgan-mobile2> References: <1190900651.6021.6.camel@dorgan-mobile2> Message-ID: <20070928195939.GA1230@panix.com> Heya: On Thu, Sep 27, 2007 at 09:44:11AM -0400, Donald Organ wrote: > > I have a webservice made using Services_Webservice(PEAR Package). ... > but when invoking this service from .NET it > seems that the property is null. I've run into issues using PEAR SOAP with .NET. For example: http://pear.php.net/bugs/bug.php?id=7064 --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From ken at secdat.com Fri Sep 28 16:18:44 2007 From: ken at secdat.com (Kenneth Downs) Date: Fri, 28 Sep 2007 16:18:44 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <8f0676b40709281149q7bd50053ued2825fb976c2b7f@mail.gmail.com> References: <46FA3A69.6000109@secdat.com> <46FB9241.3040404@secdat.com> <46FCE21C.9040901@beezifies.com> <46FCED89.9020001@secdat.com> <46FCFA5F.9010701@beezifies.com> <46FD2EE3.3000802@secdat.com> <8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com> <46FD4077.7040603@beezifies.com> <8f0676b40709281149q7bd50053ued2825fb976c2b7f@mail.gmail.com> Message-ID: <46FD61A4.1060207@secdat.com> John Campbell wrote: > That makes sense to me, I have never considered using eleventy > thousand views. Is managing all of those views a problem? Do you > create the views on the fly, or are they "fixed" when you create the > new user account? How do you alter the views? > no no no no no no no. If the server supports row-level security, all users access the table itself. User A, with full powers, says: SELECT * FROM examples and sees: COLUMN 1 | COLUMN 2 | USER_ID -------------+---------------+-------------- Value xxxx | Value zzzz | Joe abc-123 | xyz-abc | Joe tuscon | texas | Mary When user Joe comes along, he issues exactly the same query, but he sees this: COLUMN 1 | COLUMN 2 | USER_ID -------------+---------------+-------------- Value xxxx | Value zzzz | Joe abc-123 | xyz-abc | Joe The column-level is the same. Let's say Joe was not allowed to see Column 2. So joe says: SELECT * FROM examples he gets as his result: COLUMN 1 | USER_ID -------------+-------------- Value xxxx | Joe abc-123 | Joe You also need to know something about the concept of security roles or groups. Joe is a member of a group, perhaps named "public", and the security assignment is made to the group, not to the user. The sad fact is that most servers do not support this directly, so you fake it out by creating one view per meaningful security definition. In the most complicated Andromeda app a particular table has 4 different views for 200 users. The framework then asks the server which view a particular user should use. That particular view gives the effects described above. If they try to user a different view they are denied access.// > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ken at secdat.com Fri Sep 28 16:38:09 2007 From: ken at secdat.com (Kenneth Downs) Date: Fri, 28 Sep 2007 16:38:09 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com> References: <46FA3A69.6000109@secdat.com> <46FB9241.3040404@secdat.com> <46FCE21C.9040901@beezifies.com> <46FCED89.9020001@secdat.com> <46FCFA5F.9010701@beezifies.com> <46FD2EE3.3000802@secdat.com> <8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com> Message-ID: <46FD6631.8040904@secdat.com> John Campbell wrote: > On 9/28/07, Kenneth Downs wrote: > > >> I will claim that putting security >> directly into the database is better than any other way because it does what >> is needed in the end with the least possible work. >> > > I must be missing something. Take a simple social networking > scenario: A user can only see another user's complete profile if and > only if they are mutual friends. Implementing that in the tables > would be a huge pain in the ass and incur a big performance penalty. > Is there some super easy way to implement this that I am missing? > > No matter how you do it, you have to define it first. Your rules, in English, roughly, are: 1) A user can see his own profile 2) A user can see his friends' profiles Translated into database terms: 1) A user can see row(s) in the profiles table where the user_id column matches his 2) A user can see row(s) in the profiles table if the user_id matches a cross-reference that lists him and the target user. If you want public/private profiles you repeat the same process for defining column-by-column access. As I've said many times in this thread, it will all come down to database definitions in the end, so the real question is about the easiest way to implement the most reliable approach. The Andromeda definition would be something like this: table profiles: column user_id: primary_key: "Y" # Supergods can see any row, but.... group supergods: permrow: "N" # ...group "general" only sees rows where this # column matches their user_id group general: permrow: "Y" # ...any member of the group friends can see # a row here if they are on the left side # of friends x-ref table group friends: permrow_table: friends column name: column address: column city: ....etc.... # This is the cross-reference of friends table friends: foreign_key profiles: suffix: _1 foreign_key profiles: suffix: _2 Now that its defined the question is what is the easiest way to implement it? If the server can do it for you then you have no more work to do. That's why I wrote Andromeda and that's what Andromeda does for me. But I don't do social networking sites -- I wish I had something that simple! -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 -------------- next part -------------- An HTML attachment was scrubbed... URL: From elharo at metalab.unc.edu Fri Sep 28 18:49:53 2007 From: elharo at metalab.unc.edu (Elliotte Harold) Date: Fri, 28 Sep 2007 18:49:53 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <46FCED89.9020001@secdat.com> References: <46FA3A69.6000109@secdat.com> <46FB9241.3040404@secdat.com> <46FCE21C.9040901@beezifies.com> <46FCED89.9020001@secdat.com> Message-ID: <46FD8511.9060705@metalab.unc.edu> Kenneth Downs wrote: > >> Many things are a waste of the cracker's time, but they do them >> anyway. So counting on the result not being worth the time of cracker >> is wishful thinking. :-) > Even if one has full cell level security in the DB, I expect there are still denial of service injection attacks that may not access any cells at all. I'll leave it to the SQL experts to devise the nastiest, exponential time problems they can express in SQL. Brownie points for doing it in pure SQL without any vendor extensions. :-) -- Elliotte Rusty Harold elharo at metalab.unc.edu Java I/O 2nd Edition Just Published! http://www.cafeaulait.org/books/javaio2/ http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/ From lists at silmail.com Sat Sep 29 06:33:33 2007 From: lists at silmail.com (Jiju Thomas Mathew) Date: Sat, 29 Sep 2007 16:03:33 +0530 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <46FD8511.9060705@metalab.unc.edu> References: <46FA3A69.6000109@secdat.com> <46FB9241.3040404@secdat.com> <46FCE21C.9040901@beezifies.com> <46FCED89.9020001@secdat.com> <46FD8511.9060705@metalab.unc.edu> Message-ID: <6431a0f40709290333p3f82a0b4r7877f54670221ff9@mail.gmail.com> Would some of you comment on the following bit? class sqlDb { var $link; function sqlDb($dsn){ $pdsn = parse_url($dsn); if($pdsn['scheme'] !== 'mysql') die("System is designed for MySQL only.. Please Correct the dsn"); $mysql_db = preg_replace("@^\/@",'',$pdsn['path']); $this->link = mysql_connect($pdsn['host'],$pdsn['user'],$pdsn['pass']) or die("Could not connect"); mysql_select_db($mysql_db) or die ("Could not select database"); } function error($query, $errno, $error) { echo $error . "
" . $query; mysql_query("rollback"); return false; } /** * Sends a query to the database * * @param sqlquery $query * @return result-resource */ function query($query) { $result = mysql_query($query, $this->link) or $this->error($query, mysql_errno(), mysql_error()); return $result; } /** * Perform a modification query on database * * @param string $table * @param object $data * @param string $action * @param string $parameters * @return data resource */ function perform($table, $data, $action = 'insert', $parameters = '') { reset($data); if ($action == 'insert') { $query = 'INSERT INTO ' . $table . ' (' . join(', ', array_keys($data)) . ') VALUES ('; reset($data); foreach ($data as $value){ if(eregi("^func:", $value)){ $query .= substr($value,5) . ', '; }else { switch ((string)$value) { case 'now()': $query .= 'NOW(), '; break; case 'null': $query .= 'NULL, '; break; default: $query .= '\'' . $this->input($value) . '\', '; break; } } } $query = substr($query, 0, -2) . ')'; } elseif ($action == 'update') { $query = 'UPDATE ' . $table . ' SET '; foreach ($data as $columns => $value) { if(eregi("^func:", $value)){ $query .= $columns . substr($value,5) . ', '; }else { switch ((string)$value) { case 'now()': $query .= $columns . ' = NOW(), '; break; case 'null': $query .= $columns . ' = NULL, '; break; case '++': $query .= $columns .' = '.$columns.' + 1, '; break; default: $query .= $columns . ' = \'' . $this->input($value) . '\', '; break; } } } $query = substr($query, 0, -2); if($parameters !== '') $query .= ' WHERE ' . $parameters; } return $this->query($query); } function fetch_object($result){ return mysql_fetch_object($result); } function fetch_array($result) { return mysql_fetch_array($result, MYSQL_ASSOC); } function fetch_row($result) { return mysql_fetch_row($result); } function num_rows($result) { return mysql_num_rows($result); } function data_seek($result, $row_number) { return mysql_data_seek($result, $row_number); } function insert_id() { return mysql_insert_id(); } function affected_rows() { return mysql_affected_rows(); } function free_result($result) { return mysql_free_result($result); } function fetch_fields($result) { return mysql_fetch_field($result); } function output($string) { return htmlspecialchars($string); } function input($string) { return addslashes($string); } function prepare_input($string) { if (is_string($string)) { return trim(stripslashes($string)); } elseif (is_array($string)) { reset($string); while (list($key, $value) = each($string)) { $string[$key] = $this->prepare_input($value); } return $string; } else { return $string; } } } -------------- next part -------------- An HTML attachment was scrubbed... URL: From ramons at gmx.net Sat Sep 29 07:39:56 2007 From: ramons at gmx.net (David Krings) Date: Sat, 29 Sep 2007 07:39:56 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com> References: <46FA3A69.6000109@secdat.com> <46FB9241.3040404@secdat.com> <46FCE21C.9040901@beezifies.com> <46FCED89.9020001@secdat.com> <46FCFA5F.9010701@beezifies.com> <46FD2EE3.3000802@secdat.com> <8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com> Message-ID: <46FE398C.4080502@gmx.net> John Campbell wrote: > On 9/28/07, Kenneth Downs wrote: > >> I will claim that putting security >> directly into the database is better than any other way because it does what >> is needed in the end with the least possible work. > > I must be missing something. Take a simple social networking > scenario: A user can only see another user's complete profile if and > only if they are mutual friends. Implementing that in the tables > would be a huge pain in the ass and incur a big performance penalty. > Is there some super easy way to implement this that I am missing? > > My problem with implementing security in the database, is that it > forces a relationship between data elements and users, where as if you > implement the security layer between the application and the data then > you can write policies that are a function of the data itself. And not only that, adding security to the database will basically put part of the business logic into the database, which makes it very difficult to abstract the db layer and be db platform independent. Not everyone runs MySQL or MSSQL or PostGres. My experience is that the less you rely in logic on the db the better it is unless you are guranateed to have your pick in db platforms. That is why I do not get those who sell to unknown platform environments and jam pack MSSQL with stored procedures. Create a real server app - which, I know, has some disadvantages as well. David From ken at secdat.com Sat Sep 29 09:28:01 2007 From: ken at secdat.com (Kenneth Downs) Date: Sat, 29 Sep 2007 09:28:01 -0400 Subject: [nycphp-talk] Not-so-subtle attack on PHP In-Reply-To: <46FD8511.9060705@metalab.unc.edu> References: <46FA3A69.6000109@secdat.com> <46FB9241.3040404@secdat.com> <46FCE21C.9040901@beezifies.com> <46FCED89.9020001@secdat.com> <46FD8511.9060705@metalab.unc.edu> Message-ID: <46FE52E1.2060202@secdat.com> Elliotte Harold wrote: > Kenneth Downs wrote: >> >>> Many things are a waste of the cracker's time, but they do them >>> anyway. So counting on the result not being worth the time of >>> cracker is wishful thinking. :-) >> > > Even if one has full cell level security in the DB, I expect there are > still denial of service injection attacks that may not access any > cells at all. I'll leave it to the SQL experts to devise the nastiest, > exponential time problems they can express in SQL. Brownie points for > doing it in pure SQL without any vendor extensions. :-) > Even with db security you have to escape the strings to save things like the name of our favorite publisher. So the database has this row in it: Name: Captian Cracker Email:you at wont.ever.known Company: O'Reilly comments: I will kill your system';drop database social_networking And you say, 'hmmm, that's an interesting comment.' -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 From chsnyder at gmail.com Sat Sep 29 16:39:11 2007 From: chsnyder at gmail.com (csnyder) Date: Sat, 29 Sep 2007 16:39:11 -0400 Subject: [nycphp-talk] SPL - Do you use? In-Reply-To: References: <65430E89-BE46-43C4-818A-7CBB0523C3F1@jonbaer.com> Message-ID: On 9/28/07, Rob Marscher wrote: > On a side note, the initial reaction of a of mine friend to the zend > framework was that it felt too much like java. He's a former java > developer, who switched to php, and now works in ruby as well). > Interesting... one of the excellent benefits of all the frameworks (backend and front-end/ajax) that have emerged over the past few years is that developers are getting exposed to a lot of new patterns and concepts by using them. -- Chris Snyder http://chxo.com/ From ioplex at gmail.com Sat Sep 29 18:34:55 2007 From: ioplex at gmail.com (Michael B Allen) Date: Sat, 29 Sep 2007 18:34:55 -0400 Subject: [nycphp-talk] SPL - Do you use? In-Reply-To: <65430E89-BE46-43C4-818A-7CBB0523C3F1@jonbaer.com> References: <65430E89-BE46-43C4-818A-7CBB0523C3F1@jonbaer.com> Message-ID: <78c6bd860709291534j125faca7g909bbef93a6ef5a6@mail.gmail.com> On 9/27/07, Jon Baer wrote: > Do many here use the SPL library? > > I could never really understand this "library", on one side part of the Java > programming that I really felt to be a burden of added / bloated code was > the idea of the "Iterator" (you always had to grab one) and that is pretty > much what the SPL is (for PHP5), and part of the joy to PHP was the ease + > use of a foreach loop and then Java took a step back and implemented the > same foreach idea in current JVMs but I barely see it used in many projects. > I would guess that Java people coming to PHP would understand it's uses / > design pattern better I did Java for many years. Now I do mostly C. But at the moment I've been digging around inside Zend Framework. So I think I can add a few opinions about this topic. Whenever the topic of OOP comes up I can't help but wonder if they're just enthusiastic about just having read Design Patterns or if they really understand that OOP is just a tool that has certain use scenarios. It seems that a lot of people think that if a language supports OOP that they should always use it as if it were "better" than not using OOP. That is false. For example, I did a network protocol client in Java that was basically a lot of encoding and decoding of binary blobs and multiplexing I/O and so on. Because Java's libraries required OOP (unlike C++ which is backward compatible with straight C) it was actually harder to write networking code. Aside from occasionally using inheritance to do simple things like represent similar packet formats, Java just got in the way. In some cases libraries were so bloated and overdesigned we simply couldn't use them (even though they were specifically designed for doing network programming (e.g. nio and concurrency packages)). OOP provides one major benefit - polymorphism. If you don't need polymorphism, you should not be using OOP. But in some cases polymorphism can make your code very simple and yet highly extensible. It *can* be extremely powerful. I don't know anything about SPL but if it doesn't make any difference to use foreach instead of an Iterator then obviously you should use foreach. But if it is desirable to allow users to redefine how the behavior of the iteration works, then an Iterator class may be appropriate. > but the part of the Zend article I don't understand is > ... > > > "This library of interfaces creates a standard API for certain kinds of > built-in functionality, allowing your classes to interact with the PHP > engine in a much more seamless manner." One of the more powerful use cases for polymorphism (and thus OOP capabilities of the language being used) are frameworks. Frameworks are by definition supposed to be extensible so the benefits of using OOP can far out weigh the overhead of using it. Currently I am writing Zend_Auth_Adapter classes for Kerberos authentication (SPNEGO for SSO and vanilla Kerberos for the login form) and a Zend_Controller plugin. With the Zend_Controller plugin users will be able to tweak their bootstrap file and add Kerberos SSO and a Kerberos login form without modifying the underlying code. As for Zend Framework itself, my first impression is that it's actually pretty well thought out. I've done a number of auth plugins for various PHP apps the trend is to over-abstract the authentication process. I'm very pleased to say that ZF did not do this. The Zend_Auth_Adapter interface has one method 'authenticate()' and avoids the common mistake of trying to manage and automatically persist credentials. The other ZF component I have experience with is Zend_Controller and again, despite my reservations about OOP, it is not over-designed. Sure there's overhead in creating all of those objects and resolving methods but you do get significant flexibility in return. And another thing that should not be overlooked is that that flexibility ensures that there will be a heathy community which provides the operator with invaluable support. I predict that Zend Framework will be quite popular. Mike From jonbaer at jonbaer.com Sat Sep 29 19:29:15 2007 From: jonbaer at jonbaer.com (Jon Baer) Date: Sat, 29 Sep 2007 19:29:15 -0400 Subject: [nycphp-talk] PHP 5.3 / Namespaces Message-ID: <3E0069C7-A673-424E-868E-63AEFC007240@jonbaer.com> So according to a few (kinda old) blogs, etc, in 5.3 we should be able to accomplish something like this (correct me if Im wrong, Ive only poked through latest php-src): Just curious, does importing again as MCL create a stack or does it throw an exception? If it is stacked this would give you a mixin like capability wouldn't it? Either way I'd think it was possible if this is true: 6) Calls to qualified functions are resolved at run-time. Call to A::B::foo() first tries to call function foo() from namespace A::B, then it tries to find class A::B (__autoload() it if necessary) and call its static method foo() - Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: From jonbaer at jonbaer.com Sat Sep 29 19:34:51 2007 From: jonbaer at jonbaer.com (Jon Baer) Date: Sat, 29 Sep 2007 19:34:51 -0400 Subject: [nycphp-talk] SPL - Do you use? In-Reply-To: <78c6bd860709291534j125faca7g909bbef93a6ef5a6@mail.gmail.com> References: <65430E89-BE46-43C4-818A-7CBB0523C3F1@jonbaer.com> <78c6bd860709291534j125faca7g909bbef93a6ef5a6@mail.gmail.com> Message-ID: Excellent feedback from everyone on SPL, thanks for taking time to post back. - Jon On Sep 29, 2007, at 6:34 PM, Michael B Allen wrote: > On 9/27/07, Jon Baer wrote: >> Do many here use the SPL library? >> >> I could never really understand this "library", on one side part >> of the Java >> programming that I really felt to be a burden of added / bloated >> code was >> the idea of the "Iterator" (you always had to grab one) and that >> is pretty >> much what the SPL is (for PHP5), and part of the joy to PHP was >> the ease + >> use of a foreach loop and then Java took a step back and >> implemented the >> same foreach idea in current JVMs but I barely see it used in many >> projects. >> I would guess that Java people coming to PHP would understand >> it's uses / >> design pattern better > > I did Java for many years. Now I do mostly C. But at the moment I've > been digging around inside Zend Framework. So I think I can add a few > opinions about this topic. From johnzabroski at yahoo.com Sun Sep 30 22:50:07 2007 From: johnzabroski at yahoo.com (John Zabroski) Date: Sun, 30 Sep 2007 19:50:07 -0700 (PDT) Subject: [nycphp-talk] SPL - Do you use? In-Reply-To: <78c6bd860709291534j125faca7g909bbef93a6ef5a6@mail.gmail.com> Message-ID: <159033.76159.qm@web60221.mail.yahoo.com> The benefit of object-orientation is message dispatch. Objects are peers. They define what to do, not how to do it. Delegation of responsibilities is therefore way more dependable a concept than simply polymorphism. If the notion of a network of inter-cooperating agents working together to accomplish a task resembles your task, then objects might make sense. Polymorphism isn't why object-oriented frameworks are successful. In general, frameworks are successful because the problem application domain was well understood before it was ever translated into code. Frameworks tend to address a vertical line of business (some ill-defined problem application domain) or a horizontal line of business (i.e., security). Frameworks are also successful because they usually glue together off-the-shelf software in interesting ways that rapidly solve problems. Also, if you want to make your code to be very simple, then just obey the first rule of programming: figure out what you want to say before you figure out how to say it. Meaningful abstractions can never be crafted in the absence of a well-defined context. Programming language concepts don't make programming simple. Deep, penetrating knowledge of the problem application domain makes programming simpler. Having a language that you can easily translate that knowledge into is also a boon, just as having off-the-shelf software that you can glue into your architecture is a boon. Michael B Allen wrote: OOP provides one major benefit - polymorphism. If you don't need polymorphism, you should not be using OOP. But in some cases polymorphism can make your code very simple and yet highly extensible. It *can* be extremely powerful. --------------------------------- Fussy? Opinionated? Impossible to please? Perfect. Join Yahoo!'s user panel and lay it on us. -------------- next part -------------- An HTML attachment was scrubbed... URL: From edwardpotter at gmail.com Sun Sep 30 23:33:54 2007 From: edwardpotter at gmail.com (Edward Potter) Date: Sun, 30 Sep 2007 23:33:54 -0400 Subject: [nycphp-talk] SPL - Do you use? In-Reply-To: <159033.76159.qm@web60221.mail.yahoo.com> References: <78c6bd860709291534j125faca7g909bbef93a6ef5a6@mail.gmail.com> <159033.76159.qm@web60221.mail.yahoo.com> Message-ID: When it get to this abstract level, just think of objects as cells & functions as peptides carrying messages (variables) to hungry mitochondria (http://en.wikipedia.org/wiki/Mitochondrion) waiting to be fed to make those cells work for you. If you have all your code working correctly, you'll be able to Interconnect them all and you'll get a Paris Hilton - or something like that. :-) Then take 2 Prozac, and re-boot . . . ed (works for me) On 9/30/07, John Zabroski wrote: > The benefit of object-orientation is message dispatch. Objects are peers. > They define what to do, not how to do it. Delegation of responsibilities is > therefore way more dependable a concept than simply polymorphism. If the > notion of a network of inter-cooperating agents working together to > accomplish a task resembles your task, then objects might make sense. > > Polymorphism isn't why object-oriented frameworks are successful. In > general, frameworks are successful because the problem application domain > was well understood before it was ever translated into code. Frameworks > tend to address a vertical line of business (some ill-defined problem > application domain) or a horizontal line of business (i.e., security). > Frameworks are also successful because they usually glue together > off-the-shelf software in interesting ways that rapidly solve problems. > > Also, if you want to make your code to be very simple, then just obey the > first rule of programming: figure out what you want to say before you figure > out how to say it. Meaningful abstractions can never be crafted in the > absence of a well-defined context. > > Programming language concepts don't make programming simple. Deep, > penetrating knowledge of the problem application domain makes programming > simpler. Having a language that you can easily translate that knowledge > into is also a boon, just as having off-the-shelf software that you can glue > into your architecture is a boon. > > > Michael B Allen wrote: > OOP provides one major benefit - polymorphism. If you don't need > polymorphism, you should not be using OOP. But in some cases > polymorphism can make your code very simple and yet highly extensible. > It *can* be extremely powerful. > > ________________________________ > Fussy? Opinionated? Impossible to please? Perfect. Join Yahoo!'s user panel > and lay it on us. > > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > -- the Blog: http://www.utopiaparkway.com the Karma: http://www.coderswithconscience.com the Projects: http://flickr.com/photos/86842405 at N00/ the Store: http://astore.amazon.com/httpwwwutopic-20