bbxrider

yikes, thanks for all the great replies, please note, i am a php newbie, so that plus working with open source code is putting me in uncharted waters, but certainly want to hear as much as possible about the security issues. i'm getting the value of error_reporting with ini_get, i restart my server after any changes to php.ini, which brings up the question, is it possible to reset php.ini without restarting the server? for debugging, could you set a global variable in an application ini file, that you could check for debug/development or production and control error reporting that way? at this point not sure about redarrow's 'Finding dangerous variables with E_ALL' will have to digest that for a bit and probably repost with questions about that

thanks again for the replies, so experimenting with setting error_reporting in the script, i can finally suppress the notices. however, this is strange. when error_reporting is set to E_ALL & ~E_NOTICE in php.ini, notices are still displayed, i checked, and its value at the script execution is 6137 when i set error_reporting to E_ALL & ~E_NOTICE in the script itself with the error_reporting function, notices are surpressed and its value is 6137. so even though it has the same value of 6137 there is different behavior depending on whether it is overridden or not in the script from the value set in php.ini???????????????????????????

thanks for the replies, the ini-set and error_reporting() look like good tools to use for debugging and more granular reporting error reporting. however, when considering an application that has many scripts, i'm still wondering why setting error_reporting in the php.ini did not or does not set the level of reporting everywhere. i checked the script that produced the page in question and it does not use ini_set or error_reporting() to override the php.ini settings as far as eval, unfortunately (or maybe fortunately if it is considered bad coding practice) i did not write that code myself but am using an open source joolma extension. at this time i would not want to try the recoding necessary to remove the eval.

please see my site page at (server probably down from 1:00-8:00am pacific) http://coolgulfbreeze.com/index.php/component/adsmanager/?page=write_ad i thought the 'notice' messages could be suppressed with error_reporting = E_ALL & ~E_NOTICE but actually it seems nothing suppresses the messages on this page, is there perhaps some other place other than the php.ini my php directory that this can also be set? i was also trying find the variable/array/technique that contains the php.ini settings so i can check them individually bob

with no replies i thought i'd try to restate the issue and see if that brings any response. what i'm trying to do is have global cgi-bin that multiple virtual host domains can access. the alternative is to a have cgi-bin for each domain. at this point i wonder if its possible to have such a configuration? i've seen suggestions that a global cgi-bin is not as desireable for one for each domain, any opinions on that? my reasoning is that like in all programming if there are common used subroutines, dll's, object code, etc. for maintenance issues it is better to have them in a central repository so any changes don't have to be replicated over and over again.

this is apache 2.2.4 on winxp pro, php, perl, mysql, its a development environment my default install created c:/apache2/cgi-bin i've tried a bunch of variations and my current .conf has DocumentRoot "C:/apache2/htdocs" and i currently have 5 domains via virtual host. for cgi directives i have: ScriptAlias /cgi-bin/ "C:/apache2/cgi-bin/" activated the mod_cgi.so <Directory "C:/apache2/cgi-bin"> Options FollowSymLinks +ExecCGI -Indexes AddHandler cgi-script .cgi .pl AllowOverride None Order allow,deny allow from all Satisfy all </Directory> the problem is i can't directly access scripts in the cgi-bin, not in the browser (localhost) or if some script running in one of the domains trys to invoke using a 'windows path' ie, 'c:/apache2/cgi-bin/ubr_upload.pl' if i have a script that is common to, or invoked from multiple domains, how do i configure access to a common cgi-bin directory? this is possible yes?

i'm trying to get an open source application, uber upload, working. it needs to be configured with lots of paths. my config gets so far but fails when submitting the form that has the a file name to be uploaded. (in firefox it gives the firefox msg: 'Firefox doesn't know how to open this address, because the protocol © isn't associated with any programs'- readings indicate this is likely a path problem) it eventually invokes a perl script. which makes me wonder about the path to the cgi-bin. i have coded it as 'c:/apache2/cgi-bin/ubr_upload.pl', because the path is set in variables in ini files. but since i can't run any scripts directly out of the cgi-bin from the browser, only from a 'domain' based path, eg. http://domainName.com/someCgiEnabledDir/script.cgi, i'm not sure if the paths need to specified with a domain name. but that would mean i would always need a cgi-bin directory somewhere under the DocumentRoot and can't use the apache default cgi-bin?

ok, the scripts run when the shebang line has the right path also found the scriptInterpreterSource directive, which seems to make a lot of sense instead of relying on paths hardcoded in the shebang line, of course those paths always seem to change

i'm running apache 2.2.4, under winxp pro, been trying to get perl running for a few hours now i installed perl on a g: drive, g:/usr, with the lastest active perl msi, perl -v runs from the command line eventually i want to run at least one app, uber upload, that is typically configured to run .pl scripts from the std apache cgi-bin directory. but for now and to test, i created the hello.cgi script, to run out of a virtual host directory #!/usr/bin/perl print "Content-type:text/html\n\n"; print "hello world"; in my .conf i have the directory directives and no other (like to override other dirs at say at htdocs) <Directory /> Options FollowSymLinks +ExecCGI -Indexes AllowOverride None Order deny,allow Deny from all Satisfy all </Directory> until i got to this point, in my virtual host log, i was getting -Options ExecCGI is off in this directory: C:/apache2/htdocs/myVirtDir/hello.cgi but now i'm getting -client denied by server configuration: C:/apache2/htdocs/myVirtDir/hello.cgi and i get a 403 forbidden in the browser can somebody please try to decipher this to help me get a basic script to run and hopefully suggest what i might need to change beyond that to have scripts run out of the std apache cgi-bin directory and i promise this is the last thing, is it undesireable to be able to have scripts run from other than the std cgi-bin directory? bob

thanks everybody, for the help i'm happy to report that: captial 'G' does work, so for 10gb i used '10G' capital 'M', as tried originally (or lower case 'm') does not work no letters, ie, for 10gb, use '10000000000' does work there is an apache directive, LimitRequestBody, when set to 0, allows unlimited content body size, but if used to set limits, can only allow a max of 2147483647 , the default is 0, and since i did not have it in my httpd.conf that default setting was working or not restricting. bob

yes, phpinfo reports all settings as i have set

thanks for the replies, server has been rebooted, this is my personal dev box, so i'm the only one making any settings. before i even try .htaccess, which i agree i'll prob need on hosted sites, i just want to get working as simple as possible and then start making changes so i can check along the way, then if something breaks, it should be easier to find what change caused the problem. i've seen where there can be browser set size limits. all those discussions always say browser settings are easily faked out, so use the php limits for reliability also will check the php ftp, but am still stuck here right now evidently with a 500mb limit coming from somewhere. ??? bob

this is php5 running under apache, apache module, not cgi, on win xp pro -a development environment for me i have tried the most basic script, as presented in http://us.php.net/features.file-upload the goal is to work up to uploading large files, 10g-ish, for a video thing i get this error msg after about 5 minutes, i'm actually uploading a file on my server machine to the website, so its actually very local, this was the first testing: Warning: POST Content-Length of 1024125257 bytes exceeds the limit of 545259520 bytes in Unknown on line 0 so the content length is right, i don't see yet where the limit 545259520 is coming from the file is actually 976 MB (1,024,124,928 bytes) per properties i thought i had all sizes covered on the form: <input type="hidden" name="sizelimit" value="10000000000" /> in my php.ini: max_execution_time = 3600, max_input_time=3600, upload_max_filesize = 10000M, post_max_size=10000m, memory_limit=128 (i was hoping this memory would work, i didn't think i could/should make it 10g, the box has 2g of chip memory) so apparently i'm missing some thing, can anybody help with this? perhaps an apache thing? please bear with me on this, i know it will need plenty of work to make it a viable app, but for now i just wanted to run a proof of concept so to speak to see how long and if these large sizes are actually handled. bob -

ok thanks again i have this directive which looks like it cover all dirs, <Directory /> Options FollowSymLinks AllowOverride None Order deny,allow Deny from all Satisfy all </Directory> which actually i'd like to keep except for the domains i specifically want to override, can i put in the allowOverride for just specific dirs, even perhaps below the root, so only the scripts there are affected? and does this mean that if using the cgi-bin option, then htaccess is not an option? and if not htaccess is there an alternate method to achieve the same thing for cgi-bin

thanks for the reply apache module my .conf: #start php5 modifications LoadModule php5_module "C:/php/php5apache2_2.dll" AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps PHPIniDir "C:/php" #end php5 modifications