bbxrider

yikes, thanks for all the great replies, please note, i am a php newbie, so that plus working with open source code is putting me in uncharted waters, but certainly want to hear as much as possible about the security issues. i'm getting the value of error_reporting with ini_get, i restart my server after any changes to php.ini, which brings up the question, is it possible to reset php.ini without restarting the server? for debugging, could you set a global variable in an application ini file, that you could check for debug/development or production and control error reporting that way? at this point not sure about redarrow's 'Finding dangerous variables with E_ALL' will have to digest that for a bit and probably repost with questions about that

thanks again for the replies, so experimenting with setting error_reporting in the script, i can finally suppress the notices. however, this is strange. when error_reporting is set to E_ALL & ~E_NOTICE in php.ini, notices are still displayed, i checked, and its value at the script execution is 6137 when i set error_reporting to E_ALL & ~E_NOTICE in the script itself with the error_reporting function, notices are surpressed and its value is 6137. so even though it has the same value of 6137 there is different behavior depending on whether it is overridden or not in the script from the value set in php.ini???????????????????????????

thanks for the replies, the ini-set and error_reporting() look like good tools to use for debugging and more granular reporting error reporting. however, when considering an application that has many scripts, i'm still wondering why setting error_reporting in the php.ini did not or does not set the level of reporting everywhere. i checked the script that produced the page in question and it does not use ini_set or error_reporting() to override the php.ini settings as far as eval, unfortunately (or maybe fortunately if it is considered bad coding practice) i did not write that code myself but am using an open source joolma extension. at this time i would not want to try the recoding necessary to remove the eval.

please see my site page at (server probably down from 1:00-8:00am pacific) http://coolgulfbreeze.com/index.php/component/adsmanager/?page=write_ad i thought the 'notice' messages could be suppressed with error_reporting = E_ALL & ~E_NOTICE but actually it seems nothing suppresses the messages on this page, is there perhaps some other place other than the php.ini my php directory that this can also be set? i was also trying find the variable/array/technique that contains the php.ini settings so i can check them individually bob

with no replies i thought i'd try to restate the issue and see if that brings any response. what i'm trying to do is have global cgi-bin that multiple virtual host domains can access. the alternative is to a have cgi-bin for each domain. at this point i wonder if its possible to have such a configuration? i've seen suggestions that a global cgi-bin is not as desireable for one for each domain, any opinions on that? my reasoning is that like in all programming if there are common used subroutines, dll's, object code, etc. for maintenance issues it is better to have them in a central repository so any changes don't have to be replicated over and over again.

this is apache 2.2.4 on winxp pro, php, perl, mysql, its a development environment my default install created c:/apache2/cgi-bin i've tried a bunch of variations and my current .conf has DocumentRoot "C:/apache2/htdocs" and i currently have 5 domains via virtual host. for cgi directives i have: ScriptAlias /cgi-bin/ "C:/apache2/cgi-bin/" activated the mod_cgi.so <Directory "C:/apache2/cgi-bin"> Options FollowSymLinks +ExecCGI -Indexes AddHandler cgi-script .cgi .pl AllowOverride None Order allow,deny allow from all Satisfy all </Directory> the problem is i can't directly access scripts in the cgi-bin, not in the browser (localhost) or if some script running in one of the domains trys to invoke using a 'windows path' ie, 'c:/apache2/cgi-bin/ubr_upload.pl' if i have a script that is common to, or invoked from multiple domains, how do i configure access to a common cgi-bin directory? this is possible yes?

i'm trying to get an open source application, uber upload, working. it needs to be configured with lots of paths. my config gets so far but fails when submitting the form that has the a file name to be uploaded. (in firefox it gives the firefox msg: 'Firefox doesn't know how to open this address, because the protocol © isn't associated with any programs'- readings indicate this is likely a path problem) it eventually invokes a perl script. which makes me wonder about the path to the cgi-bin. i have coded it as 'c:/apache2/cgi-bin/ubr_upload.pl', because the path is set in variables in ini files. but since i can't run any scripts directly out of the cgi-bin from the browser, only from a 'domain' based path, eg. http://domainName.com/someCgiEnabledDir/script.cgi, i'm not sure if the paths need to specified with a domain name. but that would mean i would always need a cgi-bin directory somewhere under the DocumentRoot and can't use the apache default cgi-bin?

ok, the scripts run when the shebang line has the right path also found the scriptInterpreterSource directive, which seems to make a lot of sense instead of relying on paths hardcoded in the shebang line, of course those paths always seem to change

i'm running apache 2.2.4, under winxp pro, been trying to get perl running for a few hours now i installed perl on a g: drive, g:/usr, with the lastest active perl msi, perl -v runs from the command line eventually i want to run at least one app, uber upload, that is typically configured to run .pl scripts from the std apache cgi-bin directory. but for now and to test, i created the hello.cgi script, to run out of a virtual host directory #!/usr/bin/perl print "Content-type:text/html\n\n"; print "hello world"; in my .conf i have the directory directives and no other (like to override other dirs at say at htdocs) <Directory /> Options FollowSymLinks +ExecCGI -Indexes AllowOverride None Order deny,allow Deny from all Satisfy all </Directory> until i got to this point, in my virtual host log, i was getting -Options ExecCGI is off in this directory: C:/apache2/htdocs/myVirtDir/hello.cgi but now i'm getting -client denied by server configuration: C:/apache2/htdocs/myVirtDir/hello.cgi and i get a 403 forbidden in the browser can somebody please try to decipher this to help me get a basic script to run and hopefully suggest what i might need to change beyond that to have scripts run out of the std apache cgi-bin directory and i promise this is the last thing, is it undesireable to be able to have scripts run from other than the std cgi-bin directory? bob

thanks everybody, for the help i'm happy to report that: captial 'G' does work, so for 10gb i used '10G' capital 'M', as tried originally (or lower case 'm') does not work no letters, ie, for 10gb, use '10000000000' does work there is an apache directive, LimitRequestBody, when set to 0, allows unlimited content body size, but if used to set limits, can only allow a max of 2147483647 , the default is 0, and since i did not have it in my httpd.conf that default setting was working or not restricting. bob

yes, phpinfo reports all settings as i have set

thanks for the replies, server has been rebooted, this is my personal dev box, so i'm the only one making any settings. before i even try .htaccess, which i agree i'll prob need on hosted sites, i just want to get working as simple as possible and then start making changes so i can check along the way, then if something breaks, it should be easier to find what change caused the problem. i've seen where there can be browser set size limits. all those discussions always say browser settings are easily faked out, so use the php limits for reliability also will check the php ftp, but am still stuck here right now evidently with a 500mb limit coming from somewhere. ??? bob

this is php5 running under apache, apache module, not cgi, on win xp pro -a development environment for me i have tried the most basic script, as presented in http://us.php.net/features.file-upload the goal is to work up to uploading large files, 10g-ish, for a video thing i get this error msg after about 5 minutes, i'm actually uploading a file on my server machine to the website, so its actually very local, this was the first testing: Warning: POST Content-Length of 1024125257 bytes exceeds the limit of 545259520 bytes in Unknown on line 0 so the content length is right, i don't see yet where the limit 545259520 is coming from the file is actually 976 MB (1,024,124,928 bytes) per properties i thought i had all sizes covered on the form: <input type="hidden" name="sizelimit" value="10000000000" /> in my php.ini: max_execution_time = 3600, max_input_time=3600, upload_max_filesize = 10000M, post_max_size=10000m, memory_limit=128 (i was hoping this memory would work, i didn't think i could/should make it 10g, the box has 2g of chip memory) so apparently i'm missing some thing, can anybody help with this? perhaps an apache thing? please bear with me on this, i know it will need plenty of work to make it a viable app, but for now i just wanted to run a proof of concept so to speak to see how long and if these large sizes are actually handled. bob -

ok thanks again i have this directive which looks like it cover all dirs, <Directory /> Options FollowSymLinks AllowOverride None Order deny,allow Deny from all Satisfy all </Directory> which actually i'd like to keep except for the domains i specifically want to override, can i put in the allowOverride for just specific dirs, even perhaps below the root, so only the scripts there are affected? and does this mean that if using the cgi-bin option, then htaccess is not an option? and if not htaccess is there an alternate method to achieve the same thing for cgi-bin

thanks for the reply apache module my .conf: #start php5 modifications LoadModule php5_module "C:/php/php5apache2_2.dll" AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps PHPIniDir "C:/php" #end php5 modifications

i'm using apache 2.2.4 with win xp pro hosting multiple domains with virtual host one domain is joomla with an extension docman to manage file uploading, i have configured the docman app to accept very large files i have tried to override the default php.ini upload_max_filesize for just the one domain by putting an .htaccess in the root dir with 'php_value upload_max_filesize 20000m' (yes looking to upload 20gb files for a special app) the .htaccess didn't work i also tried putting a modified php.ini the root dir, that also didn't work i have tested successfully with modifying the standard php.ini so i know everything else is working once the php limit is increased so i'm not sure if i had misread how htaccess or php.ini in the root dir works with apache for modifying php. and i'm not sure either if this more a php question than apache? but if any body can help with this please do bob

ok thanks again for the followup bob

thanks for the help so resolving occurs when using dble quote vs single, thats kinda a convenience where you can have vars resolved within a literal text string, saving having to concatenate, yes? or is there other reasons for the parsing difference between dble and single? bob

this is php 5, windows xp pro, apache see the script below, responds to a basic form: <html> <body> Welcome <?php echo $_POST["name"]; ?> <br /> You are <?php echo $_POST["age"]; ?> years old. <? echo "$_server request_uri = " . $_SERVER['REQUEST_URI']. "<br />"; echo "$_server request_uri = " . $_SERVER['SERVER_SOFTWARE']. "<br />"; ?> </body> </html> i get the response below, on the one hand its giving an error but its also seems to be displaying the $_server variable info?? not sure what to make of that: Welcome bob You are 58 years old. Notice: Undefined variable: _server in C:\apache2\htdocs\1614\php\php1.php on line 15 request_uri = /php/php1.php Notice: Undefined variable: _server in C:\apache2\htdocs\1614\php\php1.php on line 16 request_uri = Apache/2.2.4 (Win32) PHP/5.2.1 mod_aspdotnet/2.2

for winxp pro, apache 2.2.4 i have been running the setup i have for 16 mos everything ok, then suddenly only 1 site works. i have had my hosts file set to 127.0.0.1 for all the sites and commented those lines out to test name resolution and still nothing. i have separate error logs for each site and there is nothing i can see, no errors at all the site that comes up is a very basic, static html 1 site not working is plone, iexplorer gives a 404 error code 'the webpage cannot be found' the other site not working is mambo, its not a 404, but the ie message is 'Internet Explorer cannot display the webpage' i set the loglevel to 'debug', thinking this would be most detailed error messages, but still nothing in the error logs any suggestions? bob

good news here got it, not sure which step but doing all the mandatory steps got my php working this guide is the best http://www.peterguy.com/php/install_IIS6.html#IISConfigure i only did the mandatory, will now probably follow up on the recommended as well thanks for all the help here bob

thanks again for another follow up there is no question that the file extension is .php i have been a programmer for many years and i do know what a file extension is, my problem is that no number of years of programming seem to help in a situation like this, where so much is going on under the hood with ms for this server i suppose apache could be an option but not for this machine at this time when i get a problem like this, where the software should be working, i don't think its a good solution to just go to something else, there is some problem and it needs to be found and fixed. until i hear some very definitive report that php just doesnt work on sbs2003 i will keep trying. even if i have to start again from the beginning i appreciate yours and any suggestions, it is easy to overlook or miss even simple things i'm currently going through this set of actions and will let you know how that progresses http://www.peterguy.com/php/install_IIS6.html#IISConfigure

my file is test.php for sure, this is very frustrating, something weird about sbs2003 vs the install i did on a winxp box any other forums around that might be worth a try? bob

before i start let me say i'm hopefully not a complete idiot as i have installed php before on an xp pro machine, no problem, the php install is about as easy as it gets when i test with localhost/test.php i get the 404 error this is the entry from the iis log 2008-02-06 01:38:04 W3SVC1 127.0.0.1 GET /test.php - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30) 404 2 1260 1830 525 i used this installer: php-5.2.5-win32-installer.msi, specified the iis isapi option php is in both the web service extensions and application extensions, (i'm guessing the installer did that) php is in the enviroment variables i stopped and started the website this is my php.test file: <?php phpinfo();?> the website is working with html files there must be something else for sbs2003 that needs to be done?? bob

i'm just starting to work with php for first time for a mambo project i've read the manual on the session save path but have a few questions. - php uses this in backround so to speak, for temp work files that it needs for whatever? so any files it created would be deleted at the end of session or when not needed anymore? -if i/my program went to save some file and didn't know enuf or care enuf to specify some path, that file would get saved there? - if php is invoked by say apache, do the file permissions get checked with user/user group that apache is running under to check if php can actually create, read, write, and delete in the specified directory, so permissions are inherited from session user that invoked php, , and seen some stuff about setting it somehow with something called .htaccess? -there is some stuff i've seen that the directory for save path shouldn't be accessible to the world some how, not sure how that works. if the web site has a directory that enables visitors to open files, and if the session path files were there, somebody could read those and get info that could be used to hack or something? i know theres a lot here, that goes into apache and web stuff, but any info would be appreciated thanx bbxrider