R_P

Krystof, This is a MySQL error, not a PHP error. That probably means the code is correct and the query is wrong. My best guess would be to change the lines: $query .= "WHERE id=" . $news_id ." "; $query .= "LIMIT 1"; to: $query .= "WHERE id='".$news_id ."' "; $query .= "LIMIT 1;";

Hey guys, Its been a while, I know. Use to love coming here to answer peoples questions, but work and school have been keeping me too busy but do anything but lurk. I usually write all my code/apps by hand and over the past couple years created a common set of PHP functions that I implement on every site. This code continues to grow, and may become a framework one day (http://ryan.crawford.com/framework/default/). I wanted to present some of the crux functions for your consideration. Specifically I'd like to know what your best practices are in relation to preventing SQL insertion attacks, looking at the functions I use to control it: private $chars = array( ";" => "{00sc}", "'" => "{01sq}", "!" => "{02ex}", "$" => "{03dl}", "%" => "{04pr}", "<" => "{05ls}", ">" => "{06gt}", "=" => "{07eq}", "&" => "{08an}", "#" => "{09pd}", "," => "{10cm}", "/" => "{11fs}", "*" => "{12as}", "\\"=> "{13bs}" ); /* * Func: inject($str) - aptly named * Desc: We'll be the only people doing SQL injection here */ function inject($str) { return str_replace(array_keys($this->chars), array_values($this->chars),$str); } /* * Func: extract($str) * Desc: Opposite of inject */ function extract($str) { $str = str_replace(array_values($this->depc), array_keys($this->depc),$str); return str_replace(array_values($this->chars), array_keys($this->chars),$str); } /* * Func: query($query_data) * Desc: Make a query on the database (SELECT) * Note: If a log directory is defined, we will track queries */ function query($qdata) { $result = mysql_query($qdata) or die("<br>Query: ".$qdata." <br><br>Issue: " . mysql_error()); // set the condition for the switch statement $c = substr($qdata,0,strpos($qdata,' ')); if($c == "DELETE"||$c == "INSERT"||$c == "UPDATE") { if(is_dir($this->cfg['logdir'])) $this->logLine($qdata,$this->cfg['qlog']); return true; } if(mysql_num_rows($result)==0) return false; while($line = mysql_fetch_array($result,MYSQL_ASSOC)) { $array_result[]=$this->extract($line); } return $array_result; } /* * Func: iquery($array,$table) * Desc: Insert data into the db(using just $_POST) */ function iquery($arr,$table) { if(!$dataArr = $this->againstTable($arr,$table)) return false; $n = 1; // Loop to create SQL query foreach($dataArr as $key => $value) { $insertNames .= (sizeof($dataArr)==$n)? $key : $key.","; $insertValues.= (sizeof($dataArr)==$n)? "'".$value."'" : "'".$value."',"; $n++; } $this->query("INSERT INTO ".$table." (".$insertNames.") VALUES (".$insertValues.");"); } Basically, if you look at the array $chars, for inserted data I am searching for the keys and converting them to the values before insertion. It is a function I run all my inserts through. The query() function is what I do all my SELECTS with and it converts the characters back (the inject function encrypts, extract decrypts for lack of a better term). These are written object oriented so I still have access to PHP's extract if ever needed. Question now being, what do you think of the effectiveness of this technique in terms of protecting against SQL injection? Are there ways to beat it? Are there better methods? Is this efficient? I'm not sure what algorithm PHP is using for str_replace, but the best ones don't run any faster than O(n). I don't think this runs any worse.

Alright. I think I figured it out. The purpose of this is to change the look of the page with the click of a button by changing the path/address of all the images simultaneously. I figured it out though (luckily all my background images were in divs): var allDivs = document.getElementsByTagName("div"); for(var j=0; j<allDivs.length; j++){ if(allDivs[j].style.backgroundImage!="") allDivs[j].style.backgroundImage = allDivs[j].style.backgroundImage.replace(/path#/,"graphx/images/"); } In the future, "graphx/images/" will be a variable, pointing to the folders with similar named (but different) images. Thanks for the ping backs.

Thanks Aaron. Unfortunately, that is still the one-by-one method I am trying to avoid. I'm looking for something like this: for(var i=0; i < document.images.length; i++) { document.images[i].src="something new"; } Unfortunately, that only works with img tags within the document. I'm looking for a similar way to wash over all the background images at once - including those specified in external css files - and avoid using document.all...

Fellow Gurus, I am looking for a way to change the paths of background images using Javascript. I am aware of document.images as a data structure to access images, but does there exist the equivalent for background images? These to do not seem to be included in said data structure. If not, does anyone have some good code to change the paths of background images post rendered without doing them one-by-one? Ryan

Well, I've always considered OOP an additional layer of abstraction using code structure. It offers little/no functionality to the code or page itself, just structure and clarification, modularity and inheritance. It favors large projects where reused code will save a lot of space/coding time. This is important because during actual runtime object oriented PHP code takes longer to execute than flat scripted code which does the same thing. The argument between OO and procedural is one of those never ending battles between warring CS factions and code developers. The only advise I could give is just never make objects for the sake of making objects.

Noted and fixed.

Thanks steal for the diagnostic. Turning off indexes in apache and removing full path disclosure in php.ini should remedy just about the whole list. As for the chat, in more evolved version there will be strict checks on i/o. What I'm worried about right now is that it the base functionality works. I'm in the midst of streamlining data throughput so that client-server pings are literally bits. Core functionality is what I'm worried about. So come in and stay a bit. Let me know the response/lagging times. Works best if theres more than a person in the room. Unfortunately users are sparse.

Bumping this. Optimizing the back end code and would like a few people in the room to help me test. *Hint: Want to be mod? Just type: /auth doggie

While I completely agree with the sentiment, when working in a big-company environment you might not have the choice. If Mr. Big Executive wants his employees to be printing a page when they come to it, then Mr. programmer makes the site print the page. There still could be options/control of the function within the page/applet. Trust me, I've had my share of (and battles against) those kinds of requests too. Although, I'd probably take this one just for the challenge.

Once you send a header specifying an image MIME type to the browser, the only thing that the browser can display is an image! I'm surprised you weren't getting all sorts of errors by doing that. One thing you can consider is creating a seperate php file which returns only images and using it as the source in an HTML image tag like so: <img src="img.php?index=5" alt=""> I generally don't store images in my db tables (although its perfectly acceptable) but using the example above should allow you to do so. Good luck.

Using Javascript to open the print dialog for a page is as about as far as you can go with JS or any client side program. One possibility might be to create a java applet and implement the PrintObject class which would have the capability of automating a print job. It would still require the user to choose to trust the java applet. If you're familiar with Java, here is a great code reference: http://www.javacommerce.com/displaypage.jsp?name=printcode.sql&id=18252

I actually use a database table and tag route (kind of like IRC flags). Basically, before/as each page is called, it looks up the auth tag for that page name in the db table. If that auth tag exists in the users session auth string, then show the page. Some pseudo code: $dbresult = mysql_query("SELECT auth FROM pages WHERE name=."$pageURL); if(strstr($_SESSION['auth'],$dbresult['auth'])) { include($page); } This way, I can assign each user a different set of priveleges and page access combos. A default user gets a basic predefined set. I could post my actual code, but its more convoluted and contains a lot of contingency handling not discussed.

Oh, and if you type "<form>" into the filter box on the gallery page, some additional hidden pictures will be revealed.

Hey guys, So I often find myself sticking images in a web folder and then having the apache (or IIS) indexes turned on so that my friends can browse through the file names. Not the most effective image gallery, I know. Instead of going through the thousands of open source galleries out there, I decided to create my own, heres what is different about it: It consists of one file (the index file). It does not rely on either flat file or SQL databases. Creates thumbnails upon first install and whenever you add new images. Thumbnails generator includes real-time progress bar - useful when you have a lot of images. *Essentially the image gallery for really lazy (or busy ) developers Heres the file: http://ryan.crawford.com/gallery.zip Heres a demo: http://ryan.crawford.com/yjfc/flyin07/?v=g There are a few known bugs and issues. No documentation yet. Feel free to poke around with it and post if you have any questions. Also make sure to tell me you server configuration and the browser(s) you used to test it with. Thanks! Ryan PS - And keep in mind this is an EARLY RELEASE. It doesn't have near the functionality that I'm planning for it.

Did you let PHP configure your apache file? Sounds like you might be missing the AddType entry for php. That line looks like this: AddType application/x-httpd-php .php Usually this tells the server (in addition to the module and PHPIniDir and other configs) to use PHP to execute a .php file. You will have to explain the "not opening regular HTML pages." Is there an error associated with accessing them?

Hi there. Assuming you are using virtualhosts to manage multiple domains, specifying an alias will work across all of them. In fact, I am not sure how to limit aliasing to just a single virtualhost. Because you would be aliasing a directory, within your original documentroot, there is no need to specify and configure another directory entry like the example alias does (for icons). Just simply add: Alias /mail "absolute/path/to/your/directory" Hope this helps!

This is more of a networking issue than Apache. You are getting your router screen because your router is set up to accept port 80 traffic by default (basically it is running a mini webserver too). This means that traffic isn't even getting to your apache server. See if you have any configuration sections such as "port forwarding" or "port redirecting." My hunch is that you will need to assign your webserver a static (192.168.x.x) IP address (rather than aquisition through DHCP) and then have your router forward port 80 traffic to your server. Unfortunately, with the wide variety of routers and configs out there, this is a tough one to troubleshoot and I'm certainly no networking expert. Make sure you've gone through all the documentation that came with the router to ensure that it's even possible. Good Luck

The key search words (if I understand the question correctly) relate to hot-linking and bandwidth theft - basically keeping users from directly access files from a web folder. It can also act to secure those files (for the most part). From apache.blog-city.com: You can create or edit you .htaccess file and add: RewriteEngine On RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC] RewriteCond %{HTTP_REFERER} !^$ RewriteRule .*\.(jpe?g|gif|bmp|png)$ - [F] The first line signals Apache to turn on the Rewrite engine. Line two matches any requests from your own mysite.com url. The [NC] code means "No Case", meaning match the url regardless of being in upper or lower case letters. The third line means allow empty referrals. The last line matches any files ending with the extension jpeg, jpg, gif, bmp, or png (you can replace these with your own file types). This will return a 403 Forbidden error. The premise is that any user who accesses those files must be referred by your website (.php page) or it will deny access to the files. Hope this helps. Good Luck, Ryan

Active Server Pages (ASP) are a Microsoft product and are built into MS IIS. There is no native apache support for ASP, but there are a few workarounds. The most popular is Apache::ASP @ http://www.apache-asp.org/ which provides emulation through Perl. I've never used this but its worth a look. Good Luck, Ryan

Do you have any network monitoring software that could be monitoring or throttling bandwidth? IE Windows Firewall settings, etc? I would suspect that there is another process chained to that port parsing activity. Thats my hunch since I have apache 2 running on Windows 2k and Windows 2k3 servers without a problem. Another place you will want to post this question if you already haven't is at apachelounge.com (exclusively for windows-apache users). Good Luck

What you've typed seems to be a correct configuration. A way you could troubleshoot this is by turning on indexes for that directory and deleting the index file. Apache will then default to showing you a list of files in that directory. If test.php is listed, you will be able to click on it and view. Any errors then given would be an apache security mis-config. If test.php is not listed then it is a documentroot problem. Even if you do not have PHP and Apache appropriately configured to parse the PHP, you should still see the files. Good Luck.

Yes. The remote request procedure is the order of the day. Sorry no Java here (question left in log). Unless I found a way to remove the applet security prompt!

This is a browser chat that works with current Gecko, Trident, KHTML and WebCore based browsers. I've not tested or checked for compliance with Opera or the Presto layout engine. I've done my best to emulate IRC technology, meaning there is no page flickering and little latency (low response time) between your chat and my server. The chat includes a message window and user list. You will see your text immediately after you send it. You are automatically logged in when you enter the chat and logged out when you close the chat window. A chat-bot monitors room activity and returns critical messages. The load on my server is relatively low per-user. The link below will take you to my website were you will see another "open chat" link. Clicking "open chat" will open a pop-up which will prompt you for a username. You can choose any username you like. When you're done chatting, just close the chatroom window and you will be automatically logged out. The logout button doesn't work yet. Make sure you tell me how it went. What kind of response times you got and if the chat lagged (stuttered) and how I can improve. Feel free to email or message me with questions. If you see username roddzilla, it probably means I'm in the room working on it. Without further ado: Chat Room Alpha Release Also new IRC commands include: /auth {password} - makes you a moderator /op {username} - makes username a mod (mods only) /deop {username} - takes mod priveleges away from username (mods only) /kick {username} - kicks username out of the chatroom (mods only) /authstate - returns 1 if your a mod, 0 if not (mods also have gavel next to their username) /nick {new} - changes your username to {new} value (mods can't do this) /getnick - returns your original session nickname in case you've forgot it /welcome - redisplays the welcome message /help - displays options If you're serious about testing it, message me and I'll give you the /auth password. Although its not really fun until there are others in the chat with you just asking for a good swift kick. Also, tell me what other functions you think are essential to IRC so I can include them.

I am running Windows 2K Server and was having trouble accessing network shares with apache. I've mapped a drive letter to the particular share, and have given the apache service the user account which accesses the share. I have tried both creating an alias using the network drive and a virtual host using the network drive as the document root. In both instances I receive a 403 Forbidden error (you do not have permission to access /dir/ on this server). My best guess is I'm missing a Windows permission error somewhere - though I've been through the permissions on the Apache machine and shared machine. Anyone else encounter this issue? Has anyone been able to do this successfully? Ryan